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Smarter technology for a Smarter Planet: 

Thinking outside the box 
depends on what’s in the box. 

The systemic inefficiencies in many server rooms today, in terms of both energy 
consumption and utilization, are becoming unsustainable. It isn’t simply a question 
of cost — it’s also about maintaining day-to-day operations. A recent study found 
that an estimated half of all businesses experience IT outages due to power and 
cooling issues. 1 

As we build out the infrastructure of a smarter planet, companies need to consider 
not only how much power is under the hood of their next server purchase, but 
also how much energy will be consumed to provide that power. That’s where 
smarter tools like the IBM BladeCenter® HS22 come in. It’s designed to give you 
greater efficiency at every level, from its highly efficient design and Intel® Xeon® 
Processor 5500 Series to its advanced management software like IBM Systems 
Director that actively monitors and limits power consumption. All of which can 
add up to 93% in energy savings over the previous generation of rack servers. 

Learn how you can see a return on your investment in as little as three months 2 
at ibm.com/hs22 

Systems, software and services for a smarter planet. 



Source: IDC Market Analysis #215870, Volume 1, December 2008, Worldwide Server Energy Expense 2008-2012 Forecast. 2 Return on investment and power savings calculation based on 11:1 consolidation 
customer configurations and environment. For more information, visit www.ibm.com/smarterplanet/claims. IBM, the IBM logo, ibm.com, BladeCenter, Smarter Planet and the planet icon are trademarks of 
at www.ibm.com/legal/copytrade.shtml. Intel, the Intel logo, Xeon and Xeon Inside are trademarks or registered trademarks of Intel Corporation in the United States and other countries. © International 














Powerful. 

Intelligent. 
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ratio scenario of 166 Intel 1U 2 socket servers to 14 BladeCenter HS22 servers and savings in energy costs, software license fees and other operating costs. Actual costs and savings will vary depending on individual 
International Business Machines Corp., registered in manyjurisdictions worldwide. Other productand service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web 
Business Machines Corporation 2009. All rights reserved. 
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Learn more about VIPRE Enterprise here: www.sunbeltsoftware.com • 1-888-688-8457 

















Next Generation of Total Malware Protection 



The configurable Command Center puts all the 
information you need in one place. Manage individual 
agents, quarantines, threats, and more. 


VIPRE 
McAfee 
Trend Micro 
Symantec 
Sophos 
Web root 


CPU % Used During Scan 



How does your current software compare? 

VIPRE Enterprise scans at a brisk 13.95 MB/sec and 
uses just 27% of CPU and 50 MB of RAM. In idle, it 
uses a mere 13.3 MB RAM with a disk footprint of just 
113 MB. You'll hardly notice it's running! 


Until now, antivirus engines have been Frankensteins, bolted together 
from bits and pieces of different products. They're slow, full of bugs, and 
hard to manage. 

VIPRE Enterprise is a revolutionary new approach. It's built from scratch as the 
all-in-one antivirus, antispyware, anti-rootkit solution that gives you complete 
endpoint malware protection without hogging resources! It's fast, powerful, 
and easy. 

Plus, advanced anti-malware technology protects your 
system against the new wave of malware threats. No more 
juggling multiple programs. No more dealing with user 
complaints about slow workstation performance. 

• COMPLETE! All-in-one protection from today's malware. 

• FAST! High-performance and low impact on system 
resources. 

• EASY! Manage everything easily from one command 
screen. 

• RELIABLE! Configurable, real-time monitoring technology 

• AFFORDABLE! Low $10 per seat pricing to save you 
money. 

Why struggle with slow resource hogs when you can 
manage ALL your malware threats with one fast, easy 
application? 

Curious? Download your FREE copy of VIPRE Enterprise 
and give it a test drive. 




Sunbelt Software 


When you compare VIPRE Enterprise to Symantec, McAfee, Trend Micro or 
whatever antivirus program you're using, you WILL want to switch! Don't 
worry, though.You can get VIPRE Enterprise at our competitive upgrade price 

of only $10 per seat! 


Download VIPRE Enterprise today and get your own home version of VIPRE to keep FREE as our gift to you! 

www.TestDriveVipre.com 

Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.SunbeltSoftware.com sales@sunbeltsoftware.com 

© 2009 Sunbelt Software. All rights reserved. VIPRE Enterprise is a trademark of Sunbelt Software. All trademarks used are owned by their respective owners. 

New licenses are available for $10/seat up to 500 seats, minimum 10 seats. For customers with over 500 seats, please call for special pricing. Available for a limited time and subject to change without notice. See website for more details. 


Download now 














































Failure is NOT an option in ANY economy 

Reduce Risk While Reducing Cost 




• Automate Multi-Site Recovery 

• Optimize Data Replication to enable Windows 
Server® Multi-Site Clusters 

• Enable Hyper-V™ disaster recovery 

• Migrate Hyper-V VMs with or without shared storage 


SteelEye® Technology and Microsoft® are offering a joint disaster recovery solution for virtualized environments based on 
SteelEye DataKeeper® Cluster Edition, the only Microsoft multi-site cluster solution certified for Windows Server 2008. 
This blending of capabilities affords companies worldwide a distinct advantage in facing the challenge of sustaining and 
protecting their IT resources during tough economic times. Having the ability to seamlessly move physical or virtual 
workloads within the data center or to remote locations is a proven and highly reliable method of protecting applications 
and data. 


SteelEye DataKeeperand Microsoft Windows Server® 2008 is THE ONLY solution for your business continuity or disaster 
recovery needs. It will minimize the impact of outages and guarantee your applications and data are available in the 
event of planned events or a catastrophic site loss. 


Replicate Any Data. 

Protect Any Application 


visit us at http://www.steeleye.com/hyper-v/ 



^Windows 


Microsoft 

GOLD CERTIFIED 

Partner 




© 2009 SteelEye Technology, Inc., All rights Reserved. SteelEye, SteelEye Technology, LifeKeeper and SteelEye DataKeeper and associated logos are registered trademarks or trademarks of SteelEye Technology, 
Inc. and/or its affiliates in the United States and/or other countries. All other trademarks are the property of their respective owners. 
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Smarter technology for a Smarter Planet: 

Finding meaning in the noise. 

An unprecedented amount of information flows through companies every day. But to what effect? 
A recent study found that 52% of managers have no confidence in the information they rely on to do 
their job. Without the right approach to business intelligence, companies struggle to turn all that 
information into sound decisions. IBM business intelligence and performance management solutions 
give you the smarter tools you need to access the right information, making it available to the right 
people when and how they need it. Today IBM is helping over 20,000 companies spot trends, mitigate 
risk and make better decisions, faster. In fact, we helped a major retail supplier achieve this by cutting 
their average financial reporting time by almost 50%. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/intelligence 












IT PRO PERSPECTIVE 



Crockett 

"The decision to upgrade to Server 2008 
R2 and Windows 7 is primarily a hardware 
consideration, and unlikely to be made 
across the board." 


To Deploy or Not To Deploy 

How One IT Pro Is Making the Decision 


S orting through the crush of information surrounding 
a product launch wave can be daunting. For IT pros 
contemplating their 2010 budgets and determining 
whether to include Windows Server 2008 R2 ; Windows 
7, Exchange Server 2010, and/or SQL Server 2008 R2 
migrations—just to mention a few—sometimes it's 
helpful to hear how other IT organizations are approaching these 
decisions. A recent conversation I had with Matt Becker, systems 
administrator for a software development company in Pennsylvania, 
yielded some insights into this decision¬ 
making process from the perspective of a 
medium-sized organization of about 150 
users, predominantly developers—in other 
words, demanding power users. 

"This is the smallest number of users 
I've ever supported," Becker said. "Because 
they're power users, they can typically take 
care of most small problems themselves. But 
when they do have problems, they're a lot 
bigger. They have a lot of control over their 
environments—they're always downloading 
and installing tools." In his previous position 
at a healthcare company, Becker supported 
hundreds of users, which was "no big deal" 
because these users typically had standard configurations. His cur¬ 
rent company is primarily a Windows shop with about 30 Windows 
Server 2003 machines. Critical applications include Exchange 
Server, the e-commerce system, and SharePoint 2007, which repre¬ 
sented a significant investment for the company that drove other IT 
needs further down the list. 

"The key driver for SharePoint was version control for the docu¬ 
ments shared by the business development division," Becker said. "A 
lot of people touched those documents, and SharePoint put it all in one 
place and kept it organized." Becker attended a three-day SharePoint 
training course, which added to the total cost of the deployment. 

Looking ahead to the new product launch wave, Becker boiled 
down the various factors that will drive his adoption of new technol¬ 
ogy to include these considerations: compliance, hardware, support, 
and training. The archiving capabilities in Exchange 2010 might com¬ 
pel Becker to engage in his only real sales pitch to company executives 
for deploying one of Microsoft's upcoming releases. "We don't have 
compliance tools in place yet, and we're looking at third-party prod¬ 


ucts," he said. Becker currently has to conduct machine-by-machine 
email searches to satisfy legal discovery requirements. "But I'm inves¬ 
tigating whether Exchange Server 2010 can take care of this." 

The decision to upgrade to Server 2008 R2 and Windows 7 is 
primarily a hardware consideration, and one that isn't likely to be 
made across the board. Rather than launching a full-scale Server 
2008 R2 and Windows 7 deployment, the company will phase in these 
products as old hardware retires. He also said that any progress on 
deploying a unified messaging system was dependent on first updat¬ 
ing the company's PBX system to VoIR But the 
reality for Becker's company is that the Share- 
Point 2007 deployment pushed infrastructure 
investments further into the future. 

Support issues weigh particularly heavy in 
Becker's decisions about mobile technology. 
Declaring PDAs "a nightmare" to support 
in general, he's rejected Windows Mobile 
devices outright because of the support issues 
and has cut support time significantly by 
deploying BlackBerry devices instead. 

And then there's training. Becker admits 
that his first thought in adopting new tech¬ 
nology is always the dread of the learning 
curve. The three-day course he attended 
for his company's SharePoint deployment was helpful to him, but 
he acknowledges that this level of training isn't the norm. He listed 
some of the usual resources he turns to when he needs to bone up 
on new technology: books (he still prefers the printed kind), confer¬ 
ences, and training sessions—but only if they include lab sessions. 

In the final analysis, most of Becker's decisions will come down 
to the result of his conversations with executives and end users 
about which of the overwhelming array of emerging technologies 
will really make a difference to the business. "It's really up to me to 
engage them and determine what makes the most sense." 

What makes the most sense for your company in this launch 
wave? I'd love to hear about the factors that are driving your deci¬ 
sion-making process for 2010 IT expenditures. ^ 

InstantDoc ID 102993 

MICHELE CROCKETT (michele.crockett@penton.com) helped launch 
SQL Server Magazine in 1999, has held various business and editorial roles 
within Penton Media, and is currently editorial and custom strategy director 
of Windows IT Pro, SQL Server Magazine, and Systemi Network. 


Factors that will 
drive Becker's 
adoption of new 
technology include 
compliance, hard¬ 
ware, support, and 
training. 
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Smarter technology for a Smarter Planet: 

Is your information 
withholding information? 

Most businesses have a data management strategy. And another. And another. One for every application: 
ERP, CRM, SCM, HRM, etc. The result is a proliferation of siloed, disjointed data that gets in the way of 
smart decisions. An Information Agenda from IBM moves you from an application-centric approach to your 
information toward a more holistic view of your information systems. So you can make use of your data 
to make decisions faster and with greater confidence - helping you optimize processes, predict market 
changes and act on new opportunities. Banks can better manage financial risk. Retail companies can 
spot trends. Manufacturing companies can speed delivery across a complex supply chain. So information 
works for us, instead of vice versa. 


A smarter business needs smarter software, systems and services. 
Let’s build a smarter planet, ibm.com/infoagenda 
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■READER FEEDBACK 


■ Upgrade Treadmill 

■ AD Merger 


Off the Upgrade Treadmill 

I agree with Jeff James in his editorial, "Is 
the Microsoft Upgrade Treadmill Broken?" 
(October 2009, InstantDoc ID 102730). We 
still run Microsoft Office 2003 and Windows 
XP on every computer in our organization. 
The new budget year just rolled around, and 
we'll be ordering new PCs with XP. Microsoft 
needs to stop trying so hard to be Goliath. 

Most people recognize that the Apple 
iPhone is the greatest thing since sliced 
bread. So, leave it alone! Instead of trying 
to compete against the iPhone, Microsoft 
should consider creating tools that profes¬ 
sionals and hobbyists can use to build bet¬ 
ter apps for it. 

It's silly that Microsoft has spent so much 
time and effort working on a search engine 
when there are already some great ones 
out there. My users use Microsoft Word as 
an electronic typewriter. They don't need 
99 percent of the bells and whistles of Word 
2007. The same goes for Microsoft Excel. I 
don't need Office 2010,1 don't need Windows 
Vista or Windows 7, and I 
certainly don't need Bing. 

—Scott Gutauckis 

The Tyranny of My 

I'd like to thank Paul Thur- 
rottfor his continued 
vigilance to inform the 
world about all things 
Microsoft. I've been 
reading about his experi¬ 
ence with Windows 7 for 
months. One of the best 
things about Windows 
Vista was its removal 
of the word "My" from 
OS-created and -maintained folders. It is 
with great sadness that I report, after install¬ 
ing Windows 7, that the Tyranny of My has 
returned: My Computer, My Data Sources, My 


■ Tyranny of My 

■ Palm Pre 


Documents, My Drawings, My eBooks, My 
Faxes, My iBases, My Keyboard, My Mail, My 
Monitor, My Mouse, My Music, My Network, 
My Notebooks, My Pictures, My Projects, My 
Scans, My Sessions, My Songs, My Stuff, My 
Templates. So much for the alphabet—let's 
just file everything under"My"! 

I work with about 50 computers, but 
none of them are mine! They're company 
computers; they don't belong to the people 
who use them. I use three programs that 
repeatedly create the folder My Sessions. 

It's frustrating to see this terminology back 
in the OS. Now we'll have to wait at least 
another three years before we can dream 
about it going away again. 

—Jesse 

Goodbye Windows Mobile, 

Hello Palm Pre! 

I read Paul Thurrott's Short Takes article 
"Despite Pre, Palm Financials Still in Dump¬ 
ster" (InstantDoc ID 102829). One Palm Pre 
feature that I haven't seen anywhere else 
is its ability to meld two 
(or more) email/calendar 
accounts into one view. 

I can display two separ¬ 
ate Microsoft Exchange 
Server accounts (different 
domains). I'm a consultant 
with my own corporate 
Exchange account and a 
customer account, so I find 
this feature incredibly use¬ 
ful. Other smart phones 
give me only one exchange 
account; the other must 
be IMAP or POP. For this 
feature alone, I'm seriously 
thinking about moving from Windows 
Mobile to the Pre! I would be sorry to see 
Palm collapse after such a brilliant offering! 

—Ze'ev I on is 


Active Directory Merger 
Advice 

I enjoyed Eric B. Rux's article, "Plan and 
Execute an Active Directory Merger, 
Part 1" (October 2009, InstantDoc 
ID 102596). We're currently in the 
middle of a time-consuming merger 
process, and we've discovered that 
it requires much work and planning. 
One lesson we've learned is that any 
domain with Exchange Server 2007 
can't be renamed, and any server prod¬ 
uct under Microsoft System Center 
umbrella must be completely rein¬ 
stalled in the new domain. 

—Eric Sabo 

Eric B. Rux's tremendously helpful AD- 
merger article was very timely for me. 
My site-to-site VPN is almost ready, and 
I'll be working on the migration soon, 
so I'm anxiously awaiting Eric's next 
article on the topic. 

—Jason Sedlaczek 

We're glad to hear that readers found 
Eric's article useful. Part 2 appears in this 
issue, page 50. 

—Amy Eisenberg 


Help an IT Guy Out! 

Let me say that I'm a big fan of Michael 
Morales's What Would Microsoft Do? col¬ 
umn. It's now the first thing I read when I 
get a new issue. Regarding his September 
2009 installment,"Got High-CPU Usage 
Problems? ProcDump'Em!"(InstantDoc ID 
102479), I'm having my own problems with 
a slow-booting workstation, and I don't 
want to rebuild it. Can you point me to a 
tool that will let me capture what's happen¬ 
ing in the system during the boot process? 

—Scott Adams 

Think you can help Mr. Adams with his 
problem? Access the online article's Com¬ 
ments section at www.windowsitpro.com, 
InstantDoc ID 102479, and help a guy out! 

—Jason Bovberg 

InstantDoc ID 102995 


Windows IT Pro welcomes feedback about the magazine. Send comments to letters@windows 
itpro.com, and include your full name, email address, and daytime phone number. We edit all 
letters and replies for style, length, and clarity. 


LETTERS@WINDOWSITPRO.COM 
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Smarter technology for a Smarter Planet: 

Building a fluid enterprise. 

To date, companies have spent billions of dollars building automated systems to manage vertical business 
functions—ERP, CRM, etc. Unfortunately, these systems were never designed to talk to each other. Today, 
the average employee wastes 5.3 hours per week working within these siloed and inefficient processes. 
IBM’s comprehensive business process management solutions connect your disparate processes, enabling 
fluid workflows. IBM has given over 5,000 companies the visibility and automated processes they need to 
respond to changing demands and work smarter, from a freight company that reduced development costs 
by 30% to an oil producer now measuring their fields in real time, doubling the industry’s average recovery rates. 

A smarter business needs smarter software, systems and services. 

Let’s build a smarter planet, ibm.com/flexible 


\ l / 





IBM, the IBM logo, ibm.com, Smarter Planet and the planet icon are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names 
might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. © International Business Machines Corporation 2009. 
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, What if 

fragmentation 

never happened? 



E ven a good defragmenter working 
invisibly in the background can’t 
touch a specific hidden source of 
performance loss caused by fragmentation 
that many IT managers are unaware of. Many 
know that all systems suffer from fragmentation 
and that fragmentation bottlenecks the slowest 
component on every computer: the hard drive. 
Automatic defragmentation catches fragments 
soon after they are created and returns files to 
a contiguous state. It’s a reactive fix. 

But what if fragmentation never happened? 


Today’s network efficiencies depend on achieving 
greater throughput. If it’s bottlenecked, it doesn’t much 
matter how much whiz-bang you threw money at in the 
way of equipment, your productivity suffers. The ability of 
a server, workstation or laptop to generate high I/Os per 
second (IOPS) has become one of the key throughput 
abilities system managers look for when upgrading their 
networks. I/Os are a critical resource and the more 
effectively they are employed toward direct production, the 
more work gets done in the least amount of time. 


The problem worsens with scale. The busier a system or a 
network is, the more fragmentation is being created by 
"diverted” split I/Os and the more overexpansion and 
provisioning is needed to get a job done. 

Introducing Diskeeper® 2010 performance 
technology with IntelIiWrite™ — the first ever 
fragmentation prevention technology. 

Diskeeper Corporation, the inventors of automatic 
defragmentation, has just released a technology that takes 
system performance and efficiency to a previously unattainable 
level. IntelliWrite file prevention technology proactively prevents 
up to 85% and more of the fragmentation a system can 
generate. This technology is completely new and no other 
solution comes close to the benefit IntelliWrite can have on 
every Windows® network. IntelliWrite keeps disks clean and 
fast by intelligently writing contiguous files to the disk. 



An at-a-glance Ul showing how many file fragments were prevented give the IT 
manager an important window on system speed and efficiency gains 


The real damage 

When fragmentation occurs, the system has already 
wasted precious I/O resources by writing files into fragments 
of space on the disk. This cuts into the system's "effective 
IOPS”: system activity that leads directly to a desired 
product, not a preparatory activity needed so productivity 
can occur. This event has tremendous ramifications. As 
a simplified example, if you need 1500 IOPS to get a job 
done in the afforded period of time and your system will 
only give you 1000, you must either buy more hardware 
to get that productivity, do less work, or wait. The more 
I/Os that occur, the more disk head movement, the more 
energy the site consumes and the more cooling is required. 


So, what if fragmentation never happened? 
Benefits like these would become commonplace: 

• More productivity with the same hardware 

• Longer computer life 

• Completely new levels of speed and efficiency 

• Significantly less energy consumption including 
cooling requirements 

• Faster file reads and writes 

• Minimized/eliminated data replication traffic and 
storage requirements. 

See for yourself. Try Diskeeper 2010 with 
IntelliWrite FREE for 30 days. 

www.diskeeper.com/2010TW 


© 2009 Diskeeper Corporation. All Rights Reserved. Diskeeper, "the only way 
to prevent fragmentation before it happens” and IntelliWrite, are registered 
trademarks or trademarks owned by Diskeeper Corporation in the United States 
and/or other countries. Ail other trademarks and brand names are the property of 
their respective owners. 


The only way to 
prevent fragmentation 
before it happens.™ 












IT COMMUNITY FORUM 


In Memorium: 

Bob Chronister, 1942-2009 

It is with deep sadness that we report Bob Chronister, contributing editor, passed away 
October 25,2009. Bob's first article appeared in Windows NT Magazine in November 1995. 
Longtime readers will remember Bob as the author of the popular Ask Dr. Bob, Tricks & Traps 
column, which he began writing in January 1996. 

"By the time I joined the magazine later in 1996, Bob's FAQ was already some of the most 
popular content we published," recalls Amy Eisenberg, executive editor. 

Bob continued contributing FAQs to the magazine until September 2006. We will 
remember him for his deep technical insights and his keen wit. 




devinganger Curses! Windows 7 Easy Transfer Wizard won't run 
on Windows 2008. How am I supposed to upgrade my laptop now? 

Monday, September 21,2009 


Instant Poll Results: 

Exchange Upgrade Plans 


For organizations 
currently using 
primarily Exchange 
Server 2003, 
what are your 
upgrade plans? 


60 


50 

40 

30 

20 


Skipping 
Exchange 
2007 and 
going 
straight to 
Exchange 
2010 


55% 


Upgrading to 
Exchange 2007 
as scheduled 
with no plan 
— to move to 
Exchange 2010 


Upgrading to 
Exchange 2007 
as scheduled 
but planning an 
accelerated move 
to Exchange 


2010 





None 

22 % 


20 % 

2 % 


— 




Source: Windows IT Pro Instant Poll, October 2009. 


From the Windows IT Pro Magazine Forum on 

-Linked 03 

Windows 7 

I just migrated to Windows 7. So far no issues 
with my legacy applications. It's fantastic... better 
than Vista. 

—Masialeti Masialeti 

Windows Server 2008 R2 

How many of you are running Server2008 and 
how quickly do you plan to roll out R2? 

—Amy Eisenberg, Executive Editor 

We're using Server08 for Hyper-Vmostly. As far as 
upgrading the current systems to R2, no plans yet. 

—Nate McAlmond 


I upgraded our Active Directory to 2008 in August 
of2008 and went fully native by November 2008. 
We have a number of other new servers that are 
running 2008 Server as well. We don't plan to push 
R2 to anything. We will just start ordering it with 
new servers. 

—Robert Jones 

I have heard rumors that the R2 version only allows 
Vista/Win7 clients. Is that true or just a vicious tale? 

—Mike Johnson 

I spoke with our technical director, Michael Otey, who 
said the rumor is not true. A handful of features, such 
as Branch Cache, will work only with Windows 7 
clients. Butin general, R2 handles other clients. 

—Amy Eisenberg 


Sa vv^ssistan ts 

Your guide to sponsored resources 

5 Best Practices for 
Smartphone Support 

This paper features real-world examples from US 
companies on how the benefits of keeping mobile 
devices functioning without interruption are felt 
on every level of business: customers receive the 
service they expect; end-users can work efficiently, 
enjoying the promised benefits of mobility; IT has 
its burden lightened, freeing up time for proactive 
work; and the CFO can look forward to the results 
of effective mobility and a lowTCO. 
windowsitpro.com/go/MobileBP 

Deep Dive into VMware 
vSphere with John SaviN's 
Exclusive eLearning Series 

Join us on December 10 for three info-packed 
lessons and live Q&A sessions to explore the 
major functionality capabilities of the vSphere 
virtualization platform, including identification of 
the changes from ESX 3.5. We will look at the right 
ways to use vSphere and its major functionality 
areas. Register today! 
windowsitpro.com/go/VmWarevSphere 
eLearning 

Solid-State Drives (SSD) on 
SQL Server 2008 Show 45 
Percent Power Savings 

With solid-state drive (SSD) technology, a server 
can provide the same or a higher degree of 
performance with significantly less infrastructure 
and complexity than traditional hard-disk storage 
options. This white paper offers a comparison of 
solid-state drives to traditional serial-attached SCSI 
(SAS) disk usage on SQL Server 2008. The perfor¬ 
mance comparison shows significant improvement 
in potential user load and scaling, as well as power 
savings. 

windowsitpro.com/go/SSDonSQL 



s 
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NEED TO KNOW 


Thurrott 

"The question with Office Web Applications 
is whether these solutions can replace their 
respective desktop-based counterparts. 
At first glance, it appears possible." 



What You Need to Know About Office Web Applications 


W hile Microsoft CEO Steve Ballmer claims that 
free or inexpensive online alternatives to the 
software giant's dominant Office suite have had 
litde impact in the market, it's pretty clear that 
Microsoft is taking the threat seriously. Recently, 
the company began broadly testing web-based 
versions of several key Office applications, which will be marketed to 
consumers and businesses as Office Web Applications. Here's what 
you need to know about Office Web Applications. 

What are Office Web Applications? 

Office Web Applications are four web-based applications based on 
classic Microsoft Office applications. Dubbed Word Web Application, 
Excel Web Application, PowerPoint Web Application, and OneNote 
Web Application, these solutions provide an Office-like user experi¬ 
ence and a good percentage of the functionality one would expect 
from a traditional Office application. (A fifth related solution, Outlook 
Web Application, is simply a rebranded version of Outlook Web Access 
and isn't provided along with the other Office Web Applications.) 

The question with Office Web Applications is whether these solu¬ 
tions can replace their respective desktop-based counterparts. At 
first glance, it appears possible. Each provides an Office 2010-like UI, 
with ribbon-based controls that replace the menus and toolbars from 
earlier Office versions. But comparing Office Web Applications with 
their desktop counterparts, you can see that Office Web Applications 
don't include as much functionality and are basically stripped down 
versions of the desktop applications. 

Microsoft has specifically designed Office Web Applications to 
work together with the traditional desktop applications, much in the 
same way that its Windows Mobile-based Mobile Office applications 
work. That is, Office Web Applications supplements Microsoft Office 
but doesn't replace it. 

Of particular interest are the collaboration capabilities in Excel 
Web Application and OneNote Web Application where two or more 
users can edit and interact in a live, open document simultaneously. 
I've only tested this with Excel Web Applications so far, but it appears 
to work as advertised. All of the web applications support easy sharing 
of documents, however, though that capability appears to be tied to 
the underlying storage scheme, which will be SharePoint-based for 
businesses. 

Where Office Web Applications excel is in what Microsoft calls 
document fidelity. If you pass a supported document through any 
of the web apps, perform editing, and then re-open that document 
in the desktop application (or vice versa), you should experience no 


formatting issues. This was the case in various PowerPoint and Excel 
data files I tested, though I wasn't able to test a more up-to-date Word 
Web Application version in time for this article. Microsoft promises 
similar fidelity with the next version of Mobile Office as well. 

One major limitation is that Office Web Applications don't support 
any form of offline mode—as, say, do Google Docs—so you won't be 
able to access or edit online documents via the web solutions if your 
Internet or network connection goes down. This makes the solution 
less viable as a day-to-day solution, or for those who travel frequently 
and are often offline. 

Also, even if you see the Office Web Applications as a supplemental 
add-on to Microsoft Office, only Office 2010, due in the first half of 
2010, is compatible with documents stored online. Microsoft won't be 
providing an add-on for users of Office 2007 or older Office versions. 

How Will They Be Delivered? 

Consumers will access Office Web Applications via the ad-supported 
Windows Live SkyDrive, which provides 25GB of online storage. Busi¬ 
nesses will have two options: Microsoft will make a hosted version of 
Office Web Applications available via SharePoint Online that will be 
fee or subscription based and open to all customer types, including 
volume license customers. Additionally, those who opt into the Office 
Volume License program will be able to host Office Web Applications 
on their own SharePoint server internally. In the business scenarios, 
you will be able to integrate the services into your managed Active 
Directory infrastructure via a standard SharePoint experience to gain 
full IT administration, auditing, and document lifecycle control and 
to perform backup and restore. 

Recommendations 

By pushing its ribbon UI across all applications in Office 2010 and now 
to the web in Office Web Applications, Microsoft is creating consistent 
productivity environments that blur the lines between the PC desktop 
and the web. At the very least, the online apps should provide a nice 
supplement to the traditional desktop apps. You might realize some 
cost savings around keeping certain users on older Office versions and 
using Office Web Applications where possible. Office Web Applica¬ 
tions should be enough to prevent most Microsoft shops from even 
considering Google Apps or other online alternatives. ^ 

InstantDoc ID 102949 
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WINDOWS POWER TOOLS 



Minasi 

"How do I grab a particular bit 
of text from an app's output? 
Setx provides the answer." 


Using Setx to Parse a Text File 

A little tinkering provides a solution that beats the scripting route 


I wanted to create a batch file that would check the status of my 
Internet connection, so I thought I'd start with a single ping to 
a particular DNS server on the Internet, redirect that output 
to a text file, extract the round-trip time in milliseconds, and 
display the results. But how could I grab a particular bit of text 
from an app's output? Setx provided the answer. 

I introduced Setx in "Enhanced Environment Variable Control 
with Setx" (InstantDoc ID 102706), but I didn't get a chance to show 
you its ability to parse text out of input. Setx views a text file as a set of 
text lines, each of which contains words. It then lets you identify the 
particular word that you want to extract with two coordinates: the 
line that it's found in and its word position on that line. Setx counts 
from zero, not one, so the coordinates to tell Setx to grab the fifth 
word on the third line would be (4,2). 

Setx extracts words out of text files that have regular structures, 
such as the captured output of a Ping command. Setx needs a text 
file to work with, so I'll create one by pinging my website once: 

ping -n 1 www.minasi.com>pr.txt 

But how do I tell Setx which line and word number identifies the 
reported round-trip time in milliseconds? I could start counting, of 
course, but that would be tedious. Instead, I can type 

setx /f pr.txt /x 

which causes Setx to dump all the words it can find in the text, along 
with their coordinates. For example, some of that output looks like 

(2,0 Reply)(2,1 from)(2,2 70.165.73.5:)(2,3 bytes=32) 

(2,4 time=30ms)(2,5 TTL=113) 

This shows that in the phrase Reply from 70.165.73.5: bytes=32 
time=30ms TTL-113, Setx found six "words": Reply, from, 70.165.73.5:, 
bytes=32, time=30ms, and TTL-113. The one I want, time=30ms, is 
prefixed with 2,4, meaning that it's the fourth word in the third line. 
Now I've got the information I need to tell Setx to take the captured 
output of a Ping command, extract the round-trip time, and put it 
into an environment variable that I'll call rtt: 

setx rtt /f pr.txt /a 2,4 

It responds 

Extracted value: time=30ms. 

SUCCESS: Specified value was saved. 


That will get time=30ms into the environment variable rtt, and that 
might be all I need, but what if I don't want the time- part? Well, as 
you've probably guessed, Setx's idea of a "word" is a set of characters 
surrounded by the beginning of a line, a space, or the end of a line. To 
remove the 30 from time=30ms, I could use Setx's /d option to define 
extra delimiters (i.e., the equals sign and the letter m): 

setx rtt /f pr.txt /d /a ... 

But that /a option needs coordinates, and I've rearranged the whole 
coordinate system quite a bit. How do I determine where 30 shows 
up with these new delimiters? I'd use another /x command, but this 
time with the delimiters in place: 

setx /f pr.txt /d "m","=" /x 

That command results in a real mess. To thin the output a bit, I can 
filter out all the lines except for the ones that contain 30, like so: 

setx /f pr.txt /x /d |findstr "30" 

That shows just two lines: 

(2,0 Reply)(2,1 fro)(2,2 70.165.73.5:)(2,3 bytes)(2,4 32) 
(2,5 ti)(2,6 e)(2,7 30)(2,8 s)(2,9 TTL)(2,10 113) 

(7,0 Mini)(7,1 u)(7,2 30)(7,3 s)(7,4 Maxi)(7,5 u)(7,6 30) 
(7,7 s)(7,8 Average)(7,9 30)(7,10 s) 

The 30 I'm looking for is in the first of those two lines—yes, it's a bit 
uglier to read because Setx has removed the letter m —and so the 
coordinates I want are (2,7). 

Now I have a command that will pull out the roundtrip time: 

setx rtt /f pr.txt /d /a 2,7 

And finally, I get the result 

Extracted value: 30. 

SUCCESS: Specified value was saved. 

If you're putting together something that winnows out just a few 
bits of information, and you don't feel like scripting, give Setx a try. 
It might save you some time. yr 

InstantDoc ID 102918 
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APC Back-UPS ES 750G 
is the energy-conscious 
choice. Save up to $40 pei 
year* on your electric bill. 


SmartShedding 
Technology 


Allows the master outlet to 
sense when your computer 
has either been turned off 
or gone into sleep mode, 
so it can shut off power to 
peripherals plugged into the 
controlled outlets-saving 
you power and money. 


Uses up to 5x less power in normal operation than any other battery backup. 


Let's protect what's important. 

What's in your computer? Photos, music, 
personal files, financial data, broadband 
access, videos, and more. Your computer 
has never been more important, and 
yet it has never been at higher risk 
for damaging power surges and other 
disturbances. 

So like most people, you need to protect 
your assets. But like most people, you'd 
also like to protect the environment. 

With our new energy-conscious products, 
you can do both. Energy efficient by 
design, our new smart products protect 
the power going into your computer, 
at a cost that is quickly offset by big 
energy savings. How? Not only do the 
new Back-UPS ES and SurgeArrest 
use power wisely, they also boast a 
master/controlled outlets feature, that 
automatically powers down idle devices 
to conserve energy. 


APC power protection products are available at: 



PC Connection' 


"The price tag on the new UPS is $99. While 
I'm not in the habit of endorsing products 
in this blog, if you're in the market for a 
workstation-class UPS, why not opt 
for the greener option?" 

- Heather Clancy, 
ZDNet.com 

In fact, while protecting your power 
supply, we're up to five times more 
energy efficient than any other solution. 
By saving you $40 a year in energy costs, 
our Back-UPS ES pays for itself in two 
short years. The high-frequency, low- 
copper design has a smaller transformer 
and environmental footprint. Even the 
packaging has been carefully selected 
and manufactured to maximize use of 
recycled materials and minimize waste. 

In this world, every decision you make 
counts. So protect your power with a 
battery backup that works to protect 
the environment. It conserves power, 
pays for itself, and is backed by APC's 
20-plus years of Legendary Reliability. 

For more information on this 
or our other great products, 
or for information about 
environmentally responsible 
disposal of your old battery, 
visit www.apc.com. 



Energy-efficient solutions 
for every level of protection: 


Surge Protection 

Starting at $ 34 

Guaranteed protection 
from surges, spikes, 
and lightning. 

7 outlets, phone/fax/modem 
protection, master/controlled outlets 



Battery Back-UPS 

Starting at $ 99 
Our most energy- 
efficient backup for 
home computers. 

10 outlets, DSL and coax 
protection, master/controlled 
outlets, high frequency design, 
70 minutes of runtime t 




Enter to Win a Back-UPS ES750G! (A $99 value) 


APC can help with your other power-protection needs. 
Visit www.apc.com to see our complete line of innovative 
products. 


Also, enter key code to view other special offers and discounts. 

Visit www.apc.com/promo Key Code m778w or Call 888-289-APCC x8246 or Fax 401-788-2797 


Legendary Reliability® 


©2009 Schneider Electric, All Rights Reserved. Schneider Electric, APC, Back-UPS, SurgeArrest, SmartShedding, and Legendary Reliability are owned by Schneider Electric, 
or its affiliated companies in the United States and other countries. All other trademarks are property of their respective owners, e-mail: esupport@apc.com • 132 Fairgrounds Road, West Kingston, Rl 02892 USA • 998-0967 
* Average savings are based on comparable competitive models, and are comprised of two energy-saving features: an ultra-efficient electrical design, and the master/controlled outlets feature. Runtimes may vary depending on load. 















No more juggling multiple agents. 

Get high performance AV and world class 
patch management in a single agent. 

Ask about Significant discounts available through the end of 2009. 

New Shavlik NetChk Protect 7 with integrated Antivirus + Antispyware is built from scratch 
as a comprehensive anti-malware solution delivered in a small, easy-to-use, tightly-integrated, 
single Agent. No more juggling multiple agents. No more dealing with user complaints about slow 
performance. It's the end of Antivirus Bloatware as you know it! You get the speed and performance 
of Sunbelt VIPRE®'s AV engine, the depth of Sunbelt VIPRE®'s AV knowledge base all delivered with 
Shavlik's emphasis on ease-of-implementation, ease-of-management, and ease of reporting. Plus, 
you get Shavlik's system discovery and tracking, asset 
management, and Any Patch, Anywhere technology. 

To take advantage of existing promotional pricing, 
visit this special web page www.shavlik.com/ 
landing page/20091006-antivirus.aspx 
Or, email us at sales@shavlik.com, or call (800) 690-6911. 



< ShAvlik 


Simply Secure. 
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Simply Secure. 
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Windows IT Pro 
Editors'Best Awards 

Company: Shavlik 

Category: Best Patch Management Product 
Product: Shavlik NetChk Protect 
Award: Gold 


Learn more about Shavlik here: www.shavlik.com • 1.800.690.6911 
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Otey 

"ESX Server 4.0 uses a native 64-bit 
hypervisor that provides significant 
performance and scalability enhancements 
over the previous versions." 




New Features in vSphere 4.0 

Increased scalability, hot add capability, and much more come to VMware's 
virtualization platform 


n last month's Top 10 column, I covered the top ten new 
features in Microsoft's Virtual Machine Manager 2008 R2 
release. In this column, I'll even out that coverage by guiding 
you through the top ten features of VMware's new vSphere 
virtualization platform. Most businesses have adopted 
VMware as their virtualization platform, but they're still 
using ESX Server 3.5 and the Virtual Infrastructure 3 management 
platform. Earlier in 2009, VMware released ESX Server 4.0 and the 
vSphere management platform as the successors to its widely 
adopted virtualization products. vSphere and ESX Server 4.0 include 
several important technological enhancements. 

O 64-bit hypervisor —Although not everyone realized it, the 
hypervisor in ESX Server 3.5 was 32-bit. As a result, ESX Server 
3.5 couldn't take full advantage of today's more powerful 64-bit 
hardware platforms. ESX Server 4.0 uses a native 64-bit hypervisor 
that provides significant performance and scalability enhance¬ 
ments over the previous versions. However, the new hypervisor does 
require a 64-bit hardware platform. 

O Increased VM scalability —ESX Server 4.0's new 64-bit archi¬ 
tecture provides significant increases in scalability. ESX Server 
4.0 supports virtual machines (VMs) with up to 255GB of RAM 
per VM. In addition, the vSphere 4.0 Enterprise Plus edition provides 
support for up to 8-way virtual SMP per VM. The other editions 
support up to 4-way virtual SMP. These gains are available on both 
Windows and Linux guests. 

O Hot add CPU, RAM, and virtual disks —This important 
enhancement in vSphere 4.0 is designed to create a dynamic IT 
infrastructure through the ability to add CPU, RAM, and virtual 
disks to a running VM. The hot add capability lets you dynamically 
increase your VMs' performance during periods of high resource 
demands. 

O Thin provisioning —This feature is nothing new to Microsoft 
virtualization users; vSphere now offers a thin-provisioning 
feature that's essentially the equivalent of Hyper-V's dynamic 
disks. Thin provisioning lets you create and provision a Virtual Hard 
Disk (VHD), but the host uses only the amount of storage that's actu¬ 
ally required by the VM rather than using the VHD's allocated size. 


O VMware Fault Tolerance —Fault Tolerance is a new high- 
availability feature in vSphere 4.0. Fault Tolerance works only 
between two systems. It uses a technology called vLockstep to 
provide protection from system failure with absolutely no downtime. 
VMware's vLockstep technology keeps the RAM and the virtual pro¬ 
cessors of two VMs in sync at the instruction level. 

O vNetwork Distributed Switch —vSphere 4.0's vNetwork Dis¬ 
tributed Switch lets you create and share network configura¬ 
tions between multiple servers. The vNetwork Distributed 
Switch spans multiple ESX Server hosts, letting you configure and 
manage virtual networks at the cluster level. It also lets you move 
network configuration and state with a VM when the VM is live 
migrated between ESX Server hosts. 

O IPv6 support —Another enhancement in vSphere 4.0 is sup¬ 
port for IPv6. Many organizations are planning to move to IPv6. 
vSphere's IPv6 support lets customers manage vCenter Server 
and ESX Server hosts in mixed IPv4/IPv6 network environments. 

O vApps —vApps essentially lets you manage as a single entity 
multiple servers that comprise an n-tiered application. Using 
vApps, you can combine multiple VMs, their interdepen¬ 
dencies, and their resource allocations together as a unit. You can 
manage all the components of the vApps as a single unit, letting 
you power off, clone, and deploy all the vApps components in the 
same operations. 

O vSphere Host Update Utility —The new vSphere Host Update 
Utility lets you centrally update your ESXi and ESX Server 3.0 
and later hosts to ESX Server 4.0. The UI displays the status of 
the remote updates in real time. 

VMware vShield Zones— VMware's new vShield Zones let 
customers enforce network access protection between VMs run¬ 
ning in the virtual data center. The vShield Zones feature lets you 
isolate, bridge, and firewall traffic across vCenter deployments. ^ 
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Learn more about NetWrix Corporation here: www.netwrix.com/finalist • 888-638-9749 
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Yet Another 10 Free Tools for System A dmini strators 

Audit Active Directory and file servers, detect inactive users, block USB devices, and more - for free 

The following freeware tools by Windows IT Pro Community Choice Awards finalist 
NetWrix Corporation can save you a lot of time and make your network more efficient — at 
absolutely no cost. Some of these tools have advanced commercial versions with additional 
features, but none of them will expire and stop working when you urgently need them. 

10. Disk Space Monitor (MS TechNet Magazine Sep’09: www.tinyurl.com/mngae7y) — Even with today’s terabyte-large hard 
drives, server disk space tends to run out quickly and unexpectedly. This simple monitoring tool will send you daily summary reports 
regarding all servers that are running low on disk space, below the configurable threshold. Download link: www.tinyurl.com/ygccuja 

9. Bulk Password Reset (reviewed by SoftPedia: www.tinyurl.com/bvo23aq) - While most companies have strong password 
policies for their employees, one critical issue is still neglected: local Administrator passwords on all servers are usually managed in 
a “set and forget” fashion, sometimes using some “well-known” passwords, opening a major surface for security attacks. The Bulk 
Password Reset tool quickly resets local account passwords on all servers at once, making them more secure. 

Download link: www.tinyurl.com/yb9e9b3 

8. Windows Service Monitor (WindowsReference.com: www.tinyurl.com/pqb37aw) —This very simple monitoring tool alerts 
you when some Windows service accidentally stops on one of your servers. The tool also detects services that fail to start at boot 
time, which sometimes happens, for example, with Exchange Server. Download link: www.tinyurl.com/w52qeoc 

7. VMware Change Reporter (TechTarget/SearchVirtualDesktop: www.tinyurl.com/hg93ekj) — If you don’t know what is being 
changed by your colleagues in the VMware infrastructure, it’s very easy to get lost and miss changes that can affect the things for 
which you are responsible. This tool tracks and reports configuration changes in VMware Virtual Center settings and permissions. 
Download link: www.tinyurl.com/kf7upu2 

6. Active Directory Object Restore Wizard (4sysops.com: www.tinyurl.com/tfx79jn) — This tool can save the day if someone 
accidentally (or intentionally) deleted a bunch of Active Directory objects. It provides granular object-level and even attribute- 
level restore capabilities to quickly rollback unwanted changes (e.g., mistakenly deleted users, modified group memberships, etc). 
Download link: www.tinyurl.com/yjxge99 

5. File Server Change Reporter (4sysops.com: www.tinyurl.com/kfa35w8) — This tool continues the line of auditing tools; this 
one for file servers. File Server Change Reporter detects changes in files, folders, permissions, tracks deleted, and newly-created 
files, and sends daily summary reports. This is a very useful tool to detect mistakenly-deleted files and recover from backup or to 
see if someone changes some important files. Download link: www.tinyurl.com/yzztwp9 

4. Inactive Users Tracker (MS TechNet Magazine May’08: www.tinyurl.com/fstl9nj) — This feature tracks down inactive user 
accounts (e.g., terminated employees) so you can easily disable them, or even remove them entirely, to eliminate potential security 
holes. The tool sends reports on a regular schedule, showing what accounts have been inactive for a configurable period of time (e.g., 
2 months). Download link: www.tinyurl.com/yhvzthj 

3. Password Expiration Notifier (Redmond Magazine Feb’09, 4sysops: www.tinyurl.com/yrlw97f) — This tool will automati¬ 
cally remind users to change passwords before they expire to keep you safe from password reset calls. It works nicely for users who 
don’t log on interactively and, thus, never receive standard password change reminders at log on time (e.g., VPN and OWA users). 
Download: www.tinyurl.com/yhu4fs5 

2. USB Blocker (Windows IT Pro Nov’09) — Users bring tons of consumer devices: flash drives, MP3 players, cell phones, etc., 
into the office and this aptly-named tool can block them with a couple of mouse clicks to prevent the spread of a virus and to restrict 
the take-out of confidential information. The product is integrated with Active Directory and is very easy to use. Download link: 
www. tinyurl. com/ yj 3 fuxx 

1. Active Directory Change Reporter (Windows IT Pro Sep’09: InstantDoc ID 102446, Windows IT Pro Jan’09: InstantDoc 
ID 100593, TechTarget: www.tinyurl.com/kqkq28a) — This is a simple auditing tool to keep tabs on what’s going on inside Active 
Directory. The tool tracks changes to users, groups, OUs, and other types of AD objects, and sends summary reports with full lists 
of what was changed and how it was changed. In addition, it has a nice “rollback” feature that helps rollback unwanted changes 
(including deletions) very quickly. Download link: www.tinyurl.com/ygmxmv8 
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Morales 

"One of the keys to ensuring a short support 
call is to provide a way for support engineers 
to reproduce the problem in house." 


Disk2vhd: The Windows Troubleshooter's New Best 
Friend 

A new, free P2V tool makes some issues easier to reproduce and resolve 


S upport calls are an inevitable part of a Windows IT 
professional's life, but that doesn't mean all support 
calls have to be excessively time-consuming. There are 
many things you can do to help shorten the time spent 
on a support call—by explaining the problem, collecting 
data, or performing a number of troubleshooting steps. 
One of the keys to ensuring a short call to Microsoft support is to pro¬ 
vide a way for support engineers to reproduce the problem in house. 
Doing so enables our debug team to quickly and efficiently dig in 
and resolve the issue, usually in a matter of hours or even minutes. 

But helping Microsoft support troubleshoot your problem more 
efficiently isn't usually merely a matter of sending the support 
engineer a list of steps to reproduce the problem. This is because 
often it's unclear how or when the OS got into the problem state 
to begin with, so having a list of repro steps is useless for someone 
trying to reproduce the problem on a cleanly installed OS. In this 
column, I'll tell you about a new Windows Sysinternals utility, 
Disk2vhd, which can help with this aspect of Windows system 
troubleshooting. 

Disk2vhd Use Scenarios 

Dislc2vhd (disk2vhd.exe) is another great 
utility from Mark Russinovich and Bryce 
Cogswell, which you can download at 
technet.microsoft.com/en-us/sysinternals/ 
ee656415.aspx. Disk2vhd will convert a run¬ 
ning physical machine into a Virtual Hard 
Disk (VHD) in Microsoft's Virtual Machine 
(VM) disk format. Having the system in a 
.vhd format allows Microsoft support engi¬ 
neers to quickly load up the image into 
either Hyper-V or Microsoft Virtual PC to 
reproduce the problem. Once the problem 
is reproduced, our debug team can dig into 
the issue and usually find root cause within 
a matter of hours. Of course, this utility has 
other obvious uses. You could use it for server consolidation or 
other scenarios where you may want to convert a physical system 
to a VM. 


For instance, by having an image of the customer's system, an 
engineer on my team solved a three-month-old support case in 
three hours. The customer implemented a customized security 
descriptor on the Application Event log, causing the Easy Print 
functionality to break on Windows Server 2008. Who would have 
expected that a permission change made on the Application log 
would affect printing? 

Prior to receiving the customer's image, our team discussed a 
lot of theories about the problem's cause and took steps to resolve 
the problem, but to no avail. Once we had the customer's image, 
the engineer quickly resolved the problem, which, as it turned out, 
was that the custom security descriptor removed the local system 
account's write access to the Application log. The Easy Print pro¬ 
cess has to be able to register (i.e., write) an Event Source ID with 
the Application Event log, and it does so through the local system 
account. 

Another type of issue that we resolved by using a customer's 
image was a problem where the association between .Ink files and 
the executables was broken, so if you tried to 
open the .Ink file via the common Open File 
Dialog box, the associated executable would 
not launch. Within three hours of receiving 
the customer's image, we were able to repro¬ 
duce and debug the problem, which turned 
out to be caused by an unsupported registry 
change the customer made several months 
earlier to remove the little arrow associated 
with shortcut links. 

System Center Virtual Machine Manager 
(SCVMM) also provides the ability to create 
physical to virtual (P2V) images. (You can 
download an evaluation edition of SCVMM 
at www.microsoft.com/downloads/details 
.aspx?FamilyID=292de23c-845c-4d08- 
8d65-b4b8cbc8397b&displaylang=en.) 
However, SCVMM is rather large in size 
(more than 1GB), and its installation and configuration is far more 
involved than Disk2vhd's. If you only require the ability to convert 
a physical system to a VM, though, Disk2vhd is the tool of choice. 


Having the system 
in a .vhd format lets 
Microsoft support 
engineers load the 
image into Hyper-V 
or Microsoft Virtual 
PC to reproduce 
the problem. 
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Did you know? By replacing your aging servers with IBM® System x3650 M2 Express® servers powered 
by the Intel® Xeon® processor 5500 series, you could dramatically lower your IT operating expenses. 
Here’s how: 1. With more computing power, you can run your applications on fewer servers. 2. Running 
fewer servers means reducing software licensing fees. 3. Enhanced systems management helps lower 
operational costs. 4. New energy-efficient servers reduce power consumption and cooling costs. Doing 
more with less has never been so important. And thanks to the people and Business Partners of IBM, 
it’s never been easier. Learn how IBM System x® could help you see a return on investment in as little 
as three months 1 at ibm.com/systems/3monthROI 
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IBM System x3650 M2 Express 

$3,439 

or $87/month for 36 months 2 


IBM System x3250 M3 Express 


$1,535 

or $39/month for 36 months 2 



PN: 794764U 

Featuring up to 2 Intel® Xeon® x5540 processors (2.53 GHz) 
16 DIMM sockets 1333 MHz DDR-3 RDIMMs (128 GB max) 


PN: 4252E1U_ 

Featuring Intel® Xeon® x3450 processor (2.67 GHz), 2x2 GB Open Bay with MultiBurner 
DDR-3 ECC memory, up to 1333 MHz; 1 GB, 2~GB and 4 GB UDIMMs, 16 GB 

UDIMM max; 3 1 GB, 2 GB, 4 GB and 8 GB RDIMMs; 32 GB RDIMM max 3 


IBM System Storage™ DS3400 Express 

$9,295 

or $235/month for 36 months 2 


PN:172642X 

External disk storage with 4 Gbps Fibre Channel interface technology 
Scalable to 3.6 TB of storage capacity with 300 GB hot-swappable SAS HDDs 
or up to 9 TB of storage capacity with 750 GB hot-swappable SATA HDDs 



Try the IBM Systems Consolidation 
Evaluation Tool today 

Learn how IBM System x could help you see a 
return on investment in as little as three months: 

ibm.com/systems/3monthROI 
1 866-872-3902 (mention 6N8AH26A) 
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features. Reseller prices and savings to end users may vary. Products are subject to availability. This document was developed for offerings in the United States. IBM may not offer the products, features, or services discussed in this document in other 
countries. Contact your IBM representative or IBM Business Partner for the most current pricing in your geographic area. © 2009 IBM Corporation. All rights reserved. 























































■WHAT WOULD MICROSOFT SUPPORT DO? 



Figure 1: Disk2vhd startup Ul 


It's an easy-to-use utility and a must-have 
for any administrator who uses Micro¬ 
soft support. Disk2vhd can save you time, 
money, and headaches if you have the type 
of problem that can be reproduced in a VM 
and outside of your corporate network. 
What I like about Disk2vhd from a time¬ 
saving perspective is that the .vhd image 
is natively created for Hyper-V or Virtual 
PC, which lets me as a Microsoft support 
engineer quickly move past the configura¬ 
tion and setup phase and right into the 
reproduction and debugging phase—thus 
saving time and providing a quicker resolu¬ 
tion for the customer. 

Using Disk2vhd 

Disk2vhd ; s UI is simple and straightfor¬ 
ward, as Figure 1 shows. You simply check 
the boxes for the volumes that you want 
included in the image. Then you type in 
where you want the .vhd file to be stored, 
which can actually be on the same image 
that's being converted. So if you're convert¬ 
ing the C drive, you can actually store the 
.vhd on the C drive. However, as Mark Russ- 
inovich points out on the Disk2vhd website, 
you'll experience faster conversion times if 
the file is stored on a disk other than the one 
being actively converted. 

On my Dell Precision 380 with 4GB of 
RAM running Windows 7, Disk2vhd took 
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approximately 10 minutes to convert the 
image to a .vhd file. Within a few moments, 
I was able to successfully load the image 
into Hyper-V, allowing me to interact with 
the image just as if I were on the physical 
machine itself. Had this been a real issue 
I was trying to solve, I could have down¬ 
loaded the .vhd, loaded it up in Hyper-V, 
and started debugging in a few moments— 
circumventing the usual back and forth that 
can occur when trying to resolve problems 
on a remote system. 

Try It Out 

So, can you create an image for every type 
of issue and expect it to be resolved in a few 
hours? No is the simple answer, but that's 
because not every issue can be reproduced 
even if you have an image of the system. 
Before you send an image to Microsoft 
support, first test whether the problem 
can be reproduced. Many issues can be 
reproduced either right away or with a 
little configuration. The best way to deter¬ 
mine whether your issue is a candidate for 
imaging is to try creating an image of your 
system by using the Disk2vhd utility, then 
attempt to reproduce the problem on an 
isolated network—which is essentially what 
we would do once the image was transferred 
to Microsoft support. 

Special thanks to Mark Russinovich and 

We're in IT with You 


^Learning Path 

Learn more about Disk2vhd: 

"Disk2Vhd / the Physical to Virtual Converter" Instant 
DocID 102940 

Disk2vhd vl.O, technet.microsoft.com/en-us/ 
sysinternals/ee656415.aspx 

More Windows troubleshooting articles in this 
series: 

"Administrators'Intro to Debugging," InstantDoc ID 
101818 

"Conquer Desktop Heap Problems," InstantDoc ID 
101701 

"Examining Xperf," InstantDoc ID 102054 

"Find the Binary File for Any WMI Class," InstantDoc 
ID 102615 

"Further Adventures in Debugging," InstantDoc ID 
102867 

"Get a Handle on Windows Performance Analysis," 
InstantDoc ID 101162 

"Got High-CPU Usage Problems? ProcDump'Em!" 
InstantDoc ID 102479 

"Reap the Power of MPS_Reports Data," InstantDoc 
ID 101468 

"Resolve Memory Leaks Faster," InstantDoc ID 99933 

"Resolve WMI Problems Quickly with WMIDiag," 
InstantDoc ID 100845 

"Say'Whoa!'to Runaway Processes,"InstantDoc ID 
100212 

"Simplify Process Troubleshooting with DebugDiag," 
InstantDoc ID 100577 

"Troubleshooting the Infamous Event ID 333 Errors," 
InstantDoc ID 101059 

"Under the Covers with Xperf," InstantDoc ID 102263 


Bryce Cogswell for creating another valu¬ 
able and easy-to-use tool that will dramati¬ 
cally help resolve issues much faster with 
far fewer headaches than other virtualiza¬ 
tion tools. Also special thanks to Venkatesh 
Ganga, a senior Microsoft escalation engi¬ 
neer, who contributed significantly to this 
article. ^ 

InstantDoc ID 102980 


MICHAEL MORALES (morales@microsoft 

.com) is a senior escalation engineer for Micro¬ 
soft's Global Escalation Services team. He spe¬ 
cializes in advanced Windows debugging and 
performance-related issues. For information 
about Windows debugging, visit blogs.msdn 
.com/ntdebugging. 
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TOOL TIME 
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Connect to Remote Machines 
with Royal TS 

If you manage a lot of remote servers, 
try Royal TS from Code4ward (www 
.code4ward.net/main). This tool lets 
you connect to remote Windows ma¬ 
chines using RDP. Although Royal TS 
has now become shareware, the older 
versions (version 1.5.1 and earlier) are 
still free. 

Royal TS is a great lightweight re¬ 
placement for the Microsoft Manage¬ 
ment Console (MMC) Remote Desktop 
snap-in. Some of the great time-saving 
features are the ability to: 

• Set up automatic logons 

• Add new remote connections as 
quick as you can type in the name 

• Save your list of connections and 
move them to another machine 

• Create and sort folders easily 

• Connect to console by right-clicking 

You can find the older versions 
of Royal TS by going to Royal TS's 
download page (www.code4ward 
.net/main/RoyalTS/Download 
.aspx) and clicking the link in the 
"Download Statistics and Previous 
Versions" section at the bottom of 
the page. 

Please be advised that McAfee 
SiteAdvisor gives a warning rating 
to the Code4ward.com site because: 
"When we tested this site we found 
links to SoftSea.com, which we found 
breaches browser security on our test 
PC." However, the downloads for Royal 
TS aren't hosted on SoftSea.com and 
there is no reason 
to go to that site to 
obtain the software. 

—Dennis Wynne, Windows 
systems administrator and 
desktop support specialist 
InstantDoc ID 102914 


■ Royal TS 

■ NTFS Inheritance 


NTFS Inheritance Rule Change 

Until recently, NTFS permissions have fol¬ 
lowed these inheritance rules: 

1. If a file or folder is copied to some 
other location, it will inherit the new loca¬ 
tion's NTFS permissions. 

2. If a file or folder is moved to some 
other location on a different disk drive, it 
will inherit the new location's NTFS permis¬ 
sions. 

3. If a file or folder is moved to some 
other location on the same disk drive, it will 
retain the original location's NTFS permis¬ 
sions. 

One of the NTFS inheritance rules 
changed in Windows 7, Windows Server 
2008, and Windows Vista. Now if you move 
a file or folder, it will inherit 
the new location's NTFS 
permissions, even if the 
new location is on the 
same disk drive. This 
is a radical shift that 
you need to take into 
account when you're 
moving files. You can find 
a reference to this change 
in the Notes section in the 
Microsoft article "Inherited 
permissions are not auto¬ 
matically updated when you 
move folders" (support 
.microsoft.com/kb/320246). 

—Murat Yildirimoglu, MCSE and MCT 
InstantDoc ID 102924 

Retrieve Information from Open 
Browsing Sessions 

I occasionally want to hang on to some 
URLs that I've retrieved in a Microsoft 
Internet Explorer (IE) browsing session for 


■ PowerShell 

■ Microsoft Updates 

■ Network Connections 


later reference. Although you certainly 
can save and re-open tab sets of URLs on 
systems running IE 7.0 and later, you don't 
have any portability and you certainly 
can't save the information as a reference to 
browse through later on. I wrote a couple of 
PowerShell scripts to solve these browsing 
problems. 

The first script, Get-IEUrl.psI, lets you 
quickly retrieve information about the 
current browsing session for reuse later on. 
If you run Get-IEUrl.psI with no arguments, 
you'll get a list of the URLs for all the open 
web pages, as Figure 1, page 26, shows. 

You can copy and paste these URLs for use 
elsewhere, or even send them to a file using 
a command such as 

Get-IEUrl | Set-Content sites.txt 

What's handy about saving the URLs to 
a file is that you can then use the second 
script, Start-IEUrl.psI, to pull up the set of 
web pages. To do this, you'd use a com¬ 
mand such as 

Get-Content sites.txt | Start-IEUrl 

Reviving the URLs this way doesn't neces¬ 
sarily give you what you had originally. 

Each URL will be in a separate IE window, 
even if you have tabbed browsing enabled. 
Still, it gets you back to the original web 
pages. 

Get-IEUrl.psI has three optional argu¬ 
ments: -Location, -Content, and -Full. If you 
use the -Location argument like this 

Get-IEUrl -Location 

you'll get a list of the web pages'titles along 
with their URLs, which is useful if you want 
to save the items as references. Figure 2, 
page 26, shows some sample output that's 
been sorted with the Format-List cmdlet. 
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If you use the -Content argu¬ 
ment like this 

Get-IEUrl -Content 

Get-IEUrl.psI will output 
the title, URL, and content 
(text only) of each open web 
page. You can view this output 
onscreen, but I included this 
argument so I'd have an easy way to get 
information from web pages into a text file 
or printout for use offline. 

Finally, if you use the -Full switch in a 
command such as 

$ies = Get-IEUrl -Full 

Get-IEUrl.psI returns the IE objects for all 
open web pages and stores them in the 
$ies variable. This lets you use the script as 
a starting point for performing other tasks 
in IE. What you can do depends to a great 
extent on your knowledge of IE. Let's look 
at a couple of simple examples. 

The following code uses the IE objects 
stored in the $ies variable to refresh the 
open web pages every 60 seconds until you 
issue a break command (Ctrl+C in Power- 
Shell): 

whi 1e($true){ 
sleep 60; $ies | 

%{$_.Refresh()}} 

If you want to print all the IE 
web pages captured in $ies, 
you can use the command 

$ies | %{$_.ExecWB(6,1)} 

Note that a Print dialog box 
will pop up for each web 


page. You can also bring up the Save 
As dialog box for each web page in 
$ies using the snippet 

$ies | %{$_.ExecWB(4,1)} 

Get-IEUrl.psl and Start-IEUrl 
.psl exploit only a couple of the 
capabilities of the IE 
automation model. 

If you're interested 
in exploring more 
things you can do 
with IE from PowerShell, try using Get-IEUrl. 
psl with the -Full argument, then use the 
Get-Member cmdlet on the returned IE 
instances. You can get more information 
about the IE object model from MSDN's 
"The Internet Explorer Scripting 
Object Model" web page (msdn.microsoft 
.com/en-us/library/ms970457.aspx). 

—Alex K. Angelopoulos, IT consultant 
InstantDoc ID 102917 

Get Updates on Microsoft Updates 

I created a script, WinUpdateCheck.vbs, 
that you can use to generate a report that 
details the number of Microsoft updates 
installed and the date of the most recently 
installed update for every Windows XP 
machine on your network. This information 
can be very useful in identifying machines 


that have been compromised with malware 
that prevents the installation of Microsoft 
updates (e.g., Conficker worm). It also 
provides a simple way to monitor Microsoft 
update installations throughout your 
network. 

Here are the steps to get WinUpdate 
Check.vbs working in your environment: 

1. Download WinUpdateCheck.vbs 
from the Windows IT Pro website. Go to 
www.windowsitpro.com, enter 102913 in 
the InstantDoc ID box, click Go, then click 
the Download the Code Here button. 

2. Create a text file that lists the name 
of every Windows XP host on your network. 
Each host name should be on a separate 
line. 

3. In the code that Listing 1 shows, 
modify the PCLIST constant to reflect the 
directory path and name of the text file 
created in step 2. 

4. Modify the PATH constant to reflect 
the directory location of where you want 
the results to be logged. 

WinUpdateCheck.vbs logs the results in 
a comma-separated value (CSV) file named 
Update-Log.csv. (If you run the script more 
than once, the subsequent runs' results are 
appended to the existing CSV file.) At the 
end, the script attempts to open the CSV 



Figure 1: Getting the URLs for the web pages in an open browsing session 




Figure 2: Getting URLs and page titles for the web pages in an open browsing session 
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file in Microsoft Excel. If you 
don't have Excel installed on 
the machine from which you're 
running the script, the results 
will still be logged in the CSV 
file. The file just won't open at 
the end of the script's run. 

Note that WinllpdateCheck 
.vbs assumes the machines 
being inspected have Windows 
installed in the C:\Windows 
directory. If your machines have Windows 
installed in a different location, you'll need 
to change \$c\Windows to the appropri¬ 
ate directory in the script's UpdateLog 
subroutine. 

WinllpdateCheck.vbs takes roughly 10 
minutes per 100 machines to run, so if you 
have 500 machines it will take about 
50 minutes to complete. (It might 
be slower or faster, depending on 
your network infrastructure.) 

—Brandon Jones, systems administra¬ 
tor, The W.A. Franke College of Business, 

Northern Arizona University 
InstantDoc ID 102913 

Monitor Network Connections 
with Pingmon 

The staff at a remote location in my compa¬ 
ny had reported frequent network outages, 
so I had to come up with a way to monitor 
their network connection. I wanted to see 
how often the connection went down and 
how long it took to come back up. Rather 
than spending money on a commercial 
program or digging through huge ping 
logs, I pulled together a few free utilities 
and wrote a .bat script named Pingmon. 

Pingmon is simple in concept: It 
watches an address that's either respond¬ 
ing or not, and if the state changes, the 
script generates an email and a log entry. 
The log shows when the connection went 
up or down. When a connection goes from 
down to up, the log also shows how long it 
was down. 

The syntax to use Pingmon is straight¬ 
forward: 

pingmon <computername> <frequency> 
<emai1-address> <log-file> 
[<comment>] 

where 

• computername is the name or IP address 
of the device you want to monitor 


Listing 1: Code to Modify in WinllpdateCheck.vbs 


' Replace \\PATH\H0STNAMES.TXT with the path and 
’ name of the file containing your list of host names. 
Const PCLIST = "\\PATH\H0STNAMES.TXT" 

’ Replace \\PATH\ with the location of the directory where 
' you want the results to be logged. 

Const PATH = "\\PATH\" 

Const FORAPPENDING = 8 
Const FORREADING = 1 
Const OPENASASCII = 0 
Const FAILIFNOTEXIST = 0 



Brandon 

Jones 


frequency is the number of seconds to 
wait between ping attempts 
email-address is where you want to 
receive email notifications 
log-file is the name of the file in which 
you want to log all state changes 
comment is an optional one-word de¬ 
scription of what you're monitoring 

(Although this command 
wraps here, you'd enter it all 
on one line.The same holds 
true for the sample com¬ 
mand that follows.) 

If you don't want to 
receive the email noti¬ 
fications or have a log 
file, you can just use a 
period for that param¬ 
eter. You might not want email notifications 
if you expect a device to go up and down 
frequently and you just need to keep track 
of the device's state. You might not want to 
have a log file if you need to take some ac¬ 
tion as soon as a device becomes available. 

Pingmon uses three utilities: date.exe, 
SleepX, and Blat. Date.exe is a port 
of the UNIX date command. It 
provides a UNIX-type date so 
that the script can calculate 
how long a circuit is down. 

Date.exe is one of many 
UNIX tools in the UnxUtils 
.zip file, which you can 
download from unxutils 
.sourceforge.net. 

The script uses SleepX to create a 
pause between ping attempts. SleepX 
is part of the Shell Scripting Toolkit, 
which is collection of Win32 command-line 
utilities you can use in cmd.exe shell scripts. 
You can download the Shell Scripting Tool¬ 
kit from www.westmesatech.com/sst.html. 

Pingmon uses Blat to send the email 
notifications. Blat is an extremely versatile 



command-line mailer that's 
easy to set up and use. How¬ 
ever, I recommend that you 
install it as follows: Download 
the utility from www.blat.net, 
and copy the blat.exe file into a 
library in your path.Then, at a 
command prompt, run 

blat.exe -install 
<you r.mai1 serve r.com> 
<you@yourdomain.com> 

substituting your.mailserver.com and you@ 
yourdomain.com with the name of your 
SMTP email server and your email address, 
respectively. Installing it this way saves these 
values in your registry so you don't have to 
pass them as parameters every time you run 
Blat. 

Besides using Pingmon to trouble¬ 
shoot the remote location's network 
outages, my colleagues and I have found 
many other uses for it. We've used it to 
watch several devices at remote locations 
to determine what switches are dropping 
out. To monitor a plant's network, we ran 
several Pingmon scripts, had them log to 
the same file, and set up a scheduled task 
to email the log to us every day. We also 
used the script to monitor servers await¬ 
ing reboots and monitor circuit uptime in 
international locations. Whatever you're 
watching, Pingmon throws out the fluff 
so you only have to look at interesting 
events. 

You can download Pingmon, which I 
wrote for use on Windows NT 4.0 and later, 
from the Windows IT Pro website. (Go 
to www.windowsitpro.com, enter 
102911 in the InstantDoc ID box, 
click Go, then click the Down¬ 
load the Code Here button.) 

You don't need to customize 
the code at all, but you do 
need to install the date.exe, 
SleepX, and Blat utilities to use 
Pingmon. Depending on what 
you plan to use Pingmon for, you 
might want to enhance it. For 
example, you could add an op¬ 
tion to write the log entries in a database 
or have it run Traceroute (tracert.exe) when 
a device goes down. ^ 

—Bill Aycock, network administrator, 
International Textile Group 
InstantDoc ID 102911 
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WHEN 

December 10,2009 

WHERE 

Your computer 

COST 

$99 for all 3 lessons 

LESSONS 

11:00 am ET - VMware Virtualization 
Capabilities and the vSphere Platform 


Explore the major functionality 
capabilities of the vSphere 
virtualization platform, including 
identification of the changes 
from ESX3.5. 

Join MVP John Savill on December 10,2009 for 3 in-depth lessons 
and Q&A sessions on how to ensure that vSphere is deployed and 
maintained in the most optimal way. 

What you'll take-away from this exclusive eLearning series: 

■ Understanding the different types of virtualization available 
and how they are best suited to your organization 

■ Understanding how vSphere is deployed and managed with 
focus on additional capabilities through Virtual Center 

■ Learning about the high availability capabilities of vSphere 
through vMotion and storage migration capabilities, including 
disaster recovery site capabilities 


12:30 pm ET - Deploying and 

Managing vSphere H INSTRUCTOR: 


2:00 pm ET - High Availability and 
Resource Management with vSphere 


HOW 

Register at www.windowsitpro.com/go/ 
elearning/VMwarevSphere 



John Savill is the author of the popular FAQ for 
Windows and a contributing editor to Windows IT 
Pro. He is an advisory architect for EMC's Microsoft 
consulting practice. He's an MCITP: Enterprise 
Administrator for Windows Server 2008 and a 
10-time MVP. His latest book is The Complete Guide 
to Windows Server 2008 (Addison-Wesley). 


Learn more about the speaker, lessons, 
and how to reserve your seat at: 
www.windowsitpro.com/go/elearning/ 
VMwarevSphere 



















ASK THE EXPERTS ■ 


■ Outlook Encryption ■ BitLocker 

■ Identity Lifecycle ■ Logons 

Manager 


ANSWERS TO YOUR QUESTIONS 



Q: How can I enable encryption in 
Outlook 2003? 

A: The ability to encrypt MAPI connec- 
tions in Microsoft Office Outlook 2003 
isn't enabled by default as it is in Office 
Outlook 2007. If you want to enable 
encryption of MAPI connectivity between 
Outlook 2003 and Microsoft Exchange 
Server 2003 and higher, you need to make 
a change to Outlook 2003. This change is a 
registry value which can be implemented 
through Group Policy (Policy template file 
OUTLK11 .ADM) or the Custom Installation 
Wizard (CIW) for Microsoft Office 2003. 

You can also make the registry change 
manually. If it doesn't exist, add the 
EnableRPCEncryption value of either 1 for 
enabled or 0 for not. 

[HKEY_CURRENT_USER\Software\Micro- 
soft\0ffice\ll.0\Outl ook\RPC] 

"EnableRPCEncryption"=dword:1 

RPC encryption isn't the same as encrypt¬ 
ing individual messages. RPC encryption 
only encrypts the data stream between 
Outlook and Exchange for MAPI con¬ 


nections. It isn't specific to a single email 
message. 

This is an important setting if you are 
moving to Exchange Server 2010, which 
requires encryption from its MAPI Outlook 
clients. Exchange Server 2010 will support 
Outlook clients back to Outlook 2003 SP2 
for MAPI connectivity. However, for Out¬ 
look 2003, encryption between Outlook 
and Exchange must be enabled on the 
client. You will need Outlook 2003 SP2 to 
connect to Exchange 2010. 

—William Lefkovics 

InstantDoc ID 102684 

Q: I want to use Identity Lifecycle 
Manager (ILM) to synchronize pass¬ 
words between two forests. What 
trusts do I need? 

A! The trust relationships required de- 
pend on the configuration.To synchronize 
passwords between different forests, you 
have two critical components: 

• Password Change Notification Service 
(PCNS)—This is responsible for pushing 
password changes from the Active Direc¬ 
tory to an identity store/synchronization 
engine such as ILM. PCNS is installed on 
the domain controllers in the domain 
where password changes need to be 
captured. There is an Active Directory 
(AD) schema change required for PCNS 
to function 

• The Synchronization Engine—this 
actually acts on the new passwords and 
updates other objects. In this case, ILM. 

PCNS and ILM must be in the same forest 
or have a two-way Kerberos forest trust 


Lite 

% 

BHk - 

M\ 

William Lefkovics | william@mojavemediagroup.com 

John Savill | jsavill@windowsitpro.com 

Jan De Clercq | jan.declercq@hp.com 



Q: If I unlock a BitLocker 
protected USB device, is it only 
unprotected for the current 
user? 

Al BitLocker is a volume-level encryp- 
tion technology. When the password 
for a BitLocker protected USB device 
is entered, the volume becomes 
unprotected for the OS instance. If the 
user who unlocked the device doesn't 
disconnect the device before logging 
off, or if another user logs onto the 
same machine using Switch User, 
other users will still have access to the 
USB device's content. 

In addition, any user who is an 
administrator has remote access to 
the USB device, so those users would 
also be able to access the data once 
the USB device is unlocked by the 
local user. 

—John Savill 

InstantDoc ID 102857 


between them, but no trust is needed 
between the ILM instance and the target 
forest where you're updating passwords. 
All you need in ILM is a connector to the 
target forest and to match up the user in 
the source forest with the user in the tar¬ 
get forest in the metaverse via a join rule 
(so the password is mapped to the right 
user). For example, both accounts may 
have the same sAMAccoutName. This sce¬ 
nario allows you to have one forest, Forest 
A, where users change their passwords, 
and have ILM installed with PCNS in Forest 
A. The ILM can then project the updated 
passwords onto matching users in Forest B 
without the need for a trust. 

Unfortunately, the above scenario is 
not the predominant one. It's more com¬ 
mon to have multiple source forests where 
users change their passwords, and you 
want those passwords to be updated into 
a central AD forest, which is where you'd 
like to have ILM installed. For this to work, 
you need forest trusts between the target 
forest and all the source forests so PCNS 
can communicate with ILM in the target 
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■ ASK THE EXPERTS 


Jan CJan@dc.net] 

Successful Logon 

Th e I a st ti m e yo u inters ctively I o g g ed o n to th i s a ccou nt was: Tu esd ay, Septem b er 15, 20091:45:16 AM 
Unsuccessful Logon 

The last unsuccessful interactive logon attempt on this account was: Tuesday, September 15, 2009 1:45:39 
AM 

The number of unsuccessful interactive logon attempts since your last interactive fog on: 2. 


. Windows Server 2008 

Enterprise 


Figure 1: Logon information display 


forest. You must use a 
forest trust to enable 
the Kerberos mutual 
authentication to al¬ 
low ILM to accept the 
request from a host in a 
remote forest. 

If you want to have 
two (or more) forests 
replicating passwords 
with each other in both 
directions (so users can 
change their pass¬ 
word in either forest), 
custom configuration 
(and possibly coding) 
is required. By default, 
if each forest notifies 
the other forest of a 
password change when 
the forest receives the 
notification, each would 
make the change then 
notify the other forest 
of a password change, 
and an infinite loop 
would occur. In most implementations, 
you need one of the forests to be authori¬ 
tative for password changes. Microsoft 
offers a step-by-step guide to help you 
configure password synchronization at its 
site, at tinyurl.com/yk6l4za. 

The short answer to the question is 
that you require a forest trust between the 
forests running PCNS and the forest that 
runs ILM. 

—John Savill 

InstantDoc ID 102896 

Q: Does Windows include a 
mechanism to show failed logon 
information to the user at logon 
time? 

A) Yes, Windows includes such a 
mechanism, starting with Windows Server 
2008 and Windows Vista. You might be 
interested so that you can let your users 
see if someone has been trying to use 
their accounts and guess their passwords 
since they last successfully logged on to 
Windows. 

After a user successfully logs on to 
Windows, the mechanism will display the 
last successful logon time, the last failed 
logon time, and the number of failed logon 


attempts since the last successful logon 
time, as shown in Figure 1. Your users must 
acknowledge this information before they 
can proceed and access the Windows desk¬ 
top. 

Behind this feature is a new set of Active 
Directory (AD) attributes that are replicated 
between all the Domain Controllers (DCs) 
of a domain. These attributes allow the OS 
to determine the last successful and failed 
logons. Only Windows 7, Vista, and Server 
2008 can use the feature—other Windows 
OSs ignore it. This feature is only available 
after you've increased the Domain Func¬ 
tional Level (DFL) to Windows Server 2008, 
so only Server 2008 DCs can exist in your 
AD domain—none from earlier OSs. 

To enable this new mechanism, you 
must explicitly allow Windows to report 
the logon information and to write it to AD 
at logon time. You can allow both actions 
using a set of new Group Policy Object 
(GPO) settings. 

To allow Windows to write the informa¬ 
tion to AD at logon, a GPO affecting your 
DC configuration (for example, the Default 
Domain Controllers GPO) must have the 
following setting enabled: 

Computer ConfigurationXAdministrative 


TemplatesXWindows ComponentsX 
Windows Logon OptionsXDisplay informa¬ 
tion about previous logons during user 
logon 

To allow Windows to report the informa¬ 
tion at logon, a GPO affecting your server 
and client configuration (for example, the 
Default Domain Policy) must have the fol¬ 
lowing setting enabled: 

Computer ConfigurationXAdministrative 
TemplatesXWindows ComponentsX 
Windows Logon OptionsXDisplay informa¬ 
tion about previous logons during user 
logon 

One last warning: if you enable these 
settings for domains that are Windows 
Server 2003, Windows 2000 native, or 
Windows 2000 mixed functional level, a 
warning message will appear at logon 
time. The message will inform your users 
that Windows could not retrieve the logon 
information and they will not be able to 
log on. In other words, you should never 
enable these GPO settings if your domain 
is not at the Server 2008 DFL. ^ 

—Jan De Clercq 

InstantDoc ID 102843 
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We chose—and you chose!- 
from an impressive crowd of 
unique offerings 


Window IT Pro 

Editors' Best and _ 
Community Choice- 
Awards 


by the Windows IT Pro editors 


Your Top 10 Favorite Things 
about Working in IT 

10. "Every day brings a new challenge." 

9. "It's quite fulfilling when I can figure out tough prob¬ 
lems for people." 

8. "No one else knows what the hell I'm talking about, 
and I appear smarter than everyone else." 

7. "I get to play with cool, shiny toys and get paid for it." 
6. "UNLIMITED POWER! MUAHAHAHA!" 

5. "Free soda." 

4. "People need me." 

3. "I get a comfy chair." Your Top 10 Least 
2. The money." about Working in 

T The girls. 10."Evervbodv thinks I 
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Your Top 10 Least Favorite Things 
about Working in IT 

10. "Everybody thinks I can fix any problem with two 
mouse clicks." 

9. "The constant technology evolution: I'm outdated as 
soon as I get something in place." 

8. "Balancing home life and work life." 

7. "Failing eyesight." 

6. "The terrible hours: Everyone from the CEO to the 
village dog depends on me and will call me at 2 a.m. 
when their email is taking longer than five minutes to 
arrive." 

5. "Everyone I know wants me to fix their computer." 

4. "The money." 

3. "If I fail, everything fails." 

2. "The smell." 


Picking a favorite product from an impressive crowd of competitive offerings is never an easy 
task, and such was the case with our Editors'Best and Community Choice awards this year. The 
former award program highlights products that Windows IT Pro editors and contributors believe are 
worthy of recognition, whereas the latter program turned that process over to you, our readers. 

Our Community Choice awards allowed readers to decide which products and services were 
chosen for acclaim and recognition. Rather than presenting a predefined list of products and 
services that limited your selection to choices our editorial team had already made, this year we 
decided to open up the process to everyone and let you determine the products and services that 
were worthy of inclusion in our final voting phase. We also encouraged IT pros to submit comments 
about why they selected the products they did, so you'll see lots of insightful comments and real- 
world wisdom from IT pros about their favorite products on the pages that follow. 

Unlike last year—when we treated both award programs as separate 
entities—we decided to merge the award programs this year. We've listed 
the top three Editors'Best products in each category directly adjacent to our 
Community Choice winners. Sometimes our editors and readers agreed on 
what products and services were best in a given category, and sometimes 
they didn't. Yet regardless of whether these winners were picked by edi¬ 
tors or readers, one thing is certain: All these awards recognize products 
and services that are considered the best of the best in their respective 
categories. 

By presenting our Community Choice and Editors'Best award picks 
next to each other this year, we're hoping well encourage some dialog 
about the selections that were made. Do you agree with the choices our 
editors made? Or do the picks that our readers made carry more weight? 
Please let us know what you think by emailing us your comments, or by 
visiting our online forums and writing a post or two. 
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Best Active Directory and Group Policy Product 


Editors' Best 

GOLD: 

GPExpert Group Policy Automation Engine 2.0 • SDM Software • 
www.sdmsoftware.com 

SILVER: 

Privilege Manager • BeyondTrust • pm.beyondtrust.com 

BRONZE: 

GroupID Suite • Imanami • www.imanami.com 

"SDM Software's GPExpert Group Policy Auto¬ 
mation Engine 2.0 helps the Group Policy-chal¬ 
lenged manage Group Policy as though they 
were Group Policy experts."— Caroline Marwitz, 
associate editor, Windows IT Pro 

"SDM products allow powerful GPO manage¬ 
ment. SDM Software clearly shows its leader¬ 
ship with innovative solutions that no one 
else provides. The company led the way in 
automation of Group Policy management with 
its Group Policy Automation Engine and free 
PowerShell GPMC cmdlets—which I personally 
value highly. These technologies were intro¬ 
duced by SDM long before Microsoft provided 
limited functionality in Windows 7"— Guido 
Grillenmeier, contributor, Windows IT Pro 


Community Choke 

GOLD: 

ScriptLogic Active Administrator • ScriptLogic • 
www.scriptlogic.com 

SILVER: 

Group Policy Manager • Quest Software • www.quest.com 

BRONZE: 

Active Directory Change Reporter • NetWrix • www.netwrix.com 

Quotes from the Windows IT Pro community 
about ScriptLogic's Active Administrator ... 

"I believe it's the best AD resource on the market and 
priced perfectly." 

"Wonderfully comprehensive tool set for 
managing AD." 

"Lets you recover 
that OU and save 
embarrassment 
and time." 



Best Auditing and 
Compliance Product 

Editors'Best 

GOLD: 

Control Compliance Suite • Symantec • www.symantec.com 

SILVER: 

ChangeAuditor • Quest Software • www.quest.com 

BRONZE: 

Active Directory Change Reporter • NetWrix • www.netwrix.com 

"Keeping your IT infrastructure in compliance 
with corporate governance rules and regula¬ 
tions can be an arduous task. It's expensive 
and is aimed at larger enterprises. Symantec's 
Control Compliance Suite can help ease the 
compliance burden immensely."— Jeff James, 
Windows IT Pro 

"It's a big product to cover a big problem, but 
Symantec's Control Compliance Suite gives 
you many options for deployment. It has broad 
platform support for multi-OS environments, 
runs agentless or agent-based, and features 
many out-of-the-box policies for common 
regulations, such as SOX and PCI, as well as 
letting you define policies specific to your 
environment."— B. K. Winstead, associate editor, 
Windows IT Pro 

Community Choice 

GOLD: 

Control Compliance Suite • Symantec • www.symantec.com 

SILVER: 

GFI EventsManager • GFI • www.gfi.com 

BRONZE: 

ChangeAuditor • Quest Software • www.quest.com 

Quotes from the Windows IT Pro community 
about Symantec's Control Compliance Suite ... 

"Extremely comprehensive." 

"Control Compliance Suite gives me really great 
reports about my organization's compliance with 
internal and external standards." 

"I can't imagine anything better." 


Best Antivirus and Anti-Malware Product 


Editors'Best 

GOLD: 

Tripwire for Servers • Tripwire • www.tripwire.com 

SILVER: 

Managed Endpoint Protection Services • Symantec • 
www.symantec.com 

BRONZE: 

IronPort C-Series • Cisco • www.ironport.com 

"[Tripwire's] leading platform integrity check¬ 
ing software allow[s] for advanced data 
and system protection and centralized 
monitoring. [It's a] great tool for compliance 
purposes."— Jan De Clercq, contributing editor, 
Windows IT Pro 

"Tripwire is an effective tool for protecting 
your network. The product is a great security 
add-on, regardless of your primary intrusion- 
detection software."— Mark Joseph Edwards, 
senior contributing editor, Windows IT Pro 


Community Choice 

GOLD: 

VIPRE Enterprise • Sunbelt Software • 
www.sunbeltsoftware.com 

SILVER : 

ESET N0D32 • ESET • www.eset.com 

BRONZE: 

OfficeScan • Trend Micro • www.trendmicro.com 

Quotes from the Windows IT Pro community 
about Sunbelt Software's VIPRE Enterprise ... 

"Easy to deploy, excellent value, low machine 
overhead." 

"Least use of memory, least impact to system 
and processes, performs as well as (perhaps bet¬ 
ter than) the biggies." 

"Totally reliable, catches and defends the envi¬ 
ronment more than any other product, and has 
the lowest CPU usage." 

"It's fast and light on system resources. It's also not 
just antivirus (quarantine or delete files) but pro¬ 
vides a brute-force clean-up of the crud left behind 
by malware (including dummy files, registry set¬ 
tings, DNS entries, and browser help objects)!' 
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Editors'Best and Community Choice Awards 


Best Backup and Recovery Software Product 


Editors' Best 

GOLD: 

Backup Exec 12.5 • Symantec • www.symantec.com 

SILVER: 

Backup Now 5.5 • NTI • www.ntius.com 

BRONZE: 

Tivoli Storage Manager • IBM • www.ibm.com 


Community Choice 

GOLD: 

Backup Exec 12.5 • Symantec • www.symantec.com 

SILVER: 

Acronis Backup and Recovery • Acronis • www.acronis.com 

BRONZE: 

Veeam Backup & Replication • Veeam • www.veeam.com 


"Backup Exec has become the industry stan¬ 
dard for easy-to-use backup solutions for 
SMBs. Symantec and Dell even teamed up last 
year to provide a complete turn-key solution, 
which I wrote about in my review/Dell Power- 
Vault DL2000 Powered by Symantec'(Instant- 
Doc ID 101476)."— Eric B. Rux, contributing editor, 
Windows IT Pro 

"Backup Exec is probably the most well-known 
backup application among IT pros—and with 
good reason. Able to back up myriad sources 
from flat files to multi-instance SQL Server 
databases and store the backups on both disk 
and tape, this product has only gotten better 
with each version. It's particularly handy in het¬ 
erogeneous environments because it can back 
up non-Windows platforms."— MichaelDragone, 
contributing editor, Windows IT Pro 


Quotes from the Windows IT Pro community 
about Symantec's Backup Exec ... 


"I no longer worry 
about data loss. 
Recovery time is 
quick, and backup 
and restore man¬ 
agement is very 
convenient." 

"Well laid out, 
reliable, great new 
features. Backing 
up Exchange 
Server is a breeze." 
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"Easy to use, with 
superior granular- 
recovery functionality." 



Best Cloud Computing Product or Service 


Editors' Best 

GOLD: 

Amazon Web Services • Amazon • www.amazon.com 

SILVER: 

Google Apps • Google • www.google.com 

BRONZE: 

Zmanda Cloud Backup • Zmanda • www.zmanda.com 

"Although Amazon Web Services isn't cheaper 
than running your own server in the long 
run—even in a hosted colocation facility—the 
ability to rapidly spin up additional capacity 
on a pay-as-you-go basis is extremely valu¬ 
able. Amazon Web Services'management 
tools have become very mature, while staying 
easy to use, so you can easily and cheaply add 
Amazon Web Services to your bag of applica¬ 
tion hosting tricks."— Mel Beckman, contributing 
editor, SQL Server Magazine 

"Google is a pioneer in offering applications in 
the cloud, and Google Apps has emerged—in 
some use cases—as a viable alternative to 
competing traditional IT solutions. It may not 
be a good fit for many organizations, but 
Google Apps is definitely making an impact." 

—Jeff James, Windows IT Pro 


Community Choke 

GOLD: 

Amazon Web Services • Amazon.com • www.amazon.com 

SILVER: 

Meraki Cloud Controller • Meraki • www.meraki.com 

BRONZE: 

Salesforce CRM • Salesforce.com • www.salesforce.com 

Quotes from the Windows IT Pro community 
about Amazon Web Services ... 

"Outstanding!" 

"Best cloud computing product for enterprise-level 
cloud computing." 


"Very simple 
and easy 
to manage." 


FUN FACT: 

Our Community Choice Awards 
received 7,900 total votes. 


Best Business 
Intelligence and 
Reporting Tool 

Editors'Best 

GOLD: 

Tableau 5.0 • Tableau Software • www.tableausoftware.com 

SILVER: 

NovaView 6.0 • Panorama Software • www.panorama.com 

BRONZE: 

Analyzer • Strategy Companion • www.strategycompanion.com 

"What I like about Tableau 5.0 is that SQL 
Server professionals don't have to spend a lot 
of time training business users on how to use 
it—anyone can quickly learn to use this prod¬ 
uct to create active dashboards and reports 
and analyze data, as long as they have access 
to the Internet. Tableau 5.0 also lets you tie in 
to multiple data sources and create interactive 
visualizations that help you better understand 
your data, and therefore help you make 
informed business decisions, faster."— Megan 
Keller, associate editor, SQL Server Magazine and 
Windows IT Pro 

"Filling the gaping hole left by Microsoft's 
absorption of ProClarity, Strategy Companion's 
Analyzer is the best solution to complete the 
Microsoft Bl platform. Analyzer supports the 
full range of SQL Server Analysis Services fea¬ 
tures. It has a zero-footprint client interface, 
making it simple to deploy and manage with 
delivery options for SharePoint, Excel, and IE. 
Analyzer offers a powerful and intuitive set of 
analysis tools and visualizations that let busi¬ 
ness users make more confident decisions." 

—Douglas McDowell, contributor, SQL Server 
Magazine 

"Giving stakeholders the information they 
need in a format they can understand is invalu¬ 
able, and Tableau 5.0 does that better than just 
about any other Bl tool."— Jeff James, Windows 
IT Pro 

Community Choice 

GOLD: 

IT Analytics • Symantec • www.symantec.com 

SILVER: 

Crystal Reports • Business Objects • www.businessobjects.com 

BRONZE: 

XtraReports Suite • Developer Express • www.devexpress.com 

Quotes from the Windows IT Pro community 
about Symantec's IT Analytics ... 

"Leverages all the data inside theAltiris platform." 

"Default cube schemas and reports, visual quality, 
ease of use, dynamic tables and graphs, benefits of 
SQL reporting services." 


36 DECEMBER 2009 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 































Best Deployment 
Product 

Editors' Best 

GOLD: 

Prowess SmartDeploy Enterprise • Prowess • 
www.smartdeploy.com 

SILVER: 

Ghost • Symantec • www.symantec.com 

BRONZE: 

Acronis Snap Deploy 3 • Acronis • www.acronis.com 


"SmartDeploy is a well thought-out deploy¬ 
ment solution. It overcomes one of the 
major drawbacks of standard disk-imaging 
solutions—having to create a master image 
for each hardware platform—by providing 
Platform Packs to download at no additional 
cost"— Eric B. Rux, contributing editor, Windows 
IT Pro 

"SmartDeploy gives IT pros a range of excel¬ 
lent templates and wizards to use through 
the deployment process, letting them save 
time and money and focus on more pressing 
problems. SmartDeploy is something that any 
IT pro tasked with deploying PCs should take a 
look at"— Jeff James, Windows IT Pro 

Community Choke 

GOLD: 

Ghost • Symantec • www.symantec.com 

SILVER: 

Installaware • Installaware • www.installaware.com 

BRONZE: 

Specops Deploy • Specops Software • www.specopssoft.com 

Quotes from the Windows IT Pro community 
about Symantec's Ghost ... 

"Hands down, the best tool for quick, non-ghosted 
deployments." 

"Creating and deploying images is a snap." 


"It just 
always 
works!" 


Your Favorite Vendor Support 

Gold: Dell* www.dell.com 

Silver: Microsoft • www.microsoft.com 

Bronze: Symantec • www.symantec.com 


Best Development Tool 

Editors'Best Community Choice 

GOLD: GOLD: 


Adobe Dreamweaver • Adobe • www.adobe.com 

SILVER: 

Altova XMLSpy • Altova • www.altova.com 

BRONZE: 

TestComplete • AutomatedQA • www.automatedqa.com 

"I've been using Dreamweaver for web devel¬ 
opment for more than a decade. No other web 
development app combines so many features 
with such an easy-to-use interface. Whether 
you're a DBA, IT pro, or end user, Dreamweaver 
is the best tool for the job."— Jeff James, 
Windows IT Pro 

"TestComplete simplifies the entire testing 
process with the help of a powerful and light¬ 
weight integrated environment. It does the job 
of testing various applications very nicely." 

—Anand Narayanaswamy, technical editor, 
DevConnections 


Adobe Dreamweaver • Adobe • www.adobe.com 

SILVER: 

Coderush • Developer Express • www.devexpress.com 

BRONZE: 

RadControls-Telerik • www.telerik.com 

Quotes from the Windows IT Pro community 
about Adobe Dreamweaver ... 

"This web editor simply does everything." 

"Very highly recommended to anyone building 
websites." 

"Everything is faster, 
easier, and more 
intuitive with 
Dreamweaver." 


Best Hardware: Server 



Editors'Best 

GOLD: 

ProLiant DL380 series • HP • www.hp.com 

SILVER: 

NEC 5800 series • NEC • www.nec.com 

BRONZE: 

PowerEdge • Dell • www.dell.com 


Community Choice 

GOLD: 

ProLiant DL380 series • HP • www.hp.com 

SILVER: 

PowerEdge 2900 series • Dell • www.dell.com 

BRONZE: 

IBM BladeCenter Server • IBM • www.ibm.com 


"The ProLiant line of servers is likely repre¬ 
sented in every data center in existence. The 
DL380 is the workhorse of many IT shops, 
and for good reason: reasonably priced, 
extensive support options, and myriad 
configurations."— Michael Dragone, contributing 
editor, Windows IT Pro 


Quotes from the Windows IT Pro community 
about HP's ProLiant DL380 servers ... 

"Excellentpower, reliability, and manageability for 
a solid price." 

"HP products always have fewer problems than 
those of other vendors." 


"Hardware is hardware. The real question is, 
'Who is going to answer the phone when 
you have a problem?' HP support is rock solid. 
Period."— Eric B. Rux, contributing editor, 
Windows IT Pro 

"The HP ProLiant DL380 servers are fantastic 
virtualization hosts."— Alan Sugano, 
contributing editor, Windows IT Pro 


"Reasonably 
priced, reliable, 
and highly 
expandable." 
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GOLD: 

Cisco routers and switches • Cisco • www.cisco.com 

SILVER: 

NSA series of firewalls • SonicWALL • www.sonicwall.com 

BRONZE: 

Barracuda Link Balancer • Barracuda Networks • 
www.barracudanetworks.com 


"While not often receiving the tender, loving 
care that other IT hardware and software does, 
in today's Web 2.0 cloud-compelled IT world 
the humble Cisco products are the plumbing 
that keeps most (if not all) of us afloat in some 
way, shape, or form. I have yet to meet an IT 
pro who didn't have some piece of Cisco gear 
somewhere in their environment."— Michael 
Dragone, contributing editor, Windows IT Pro 

"My old boss used to tell me, 'Nobody ever got 
fired for buying Cisco gear.'"— EricB. Rux, 
contributing editor, Windows IT Pro 



Editors'Best and Community Choice Awards 


Best Hardware: Networking 

Editors' Best Community Choice 


GOLD: 

Cisco routers and switches • Cisco • 
www.cisco.com 

SILVER: 

ProCurve switches • HP • www.hp.com 

BRONZE: 

EtherFast switches • Linksys • www.linksys.com 


Quotes from the Windows IT Pro community 
about Cisco's routers and switches ... 

"I've never had any problems after implementing 
Cisco gear." 

"Cisco always offers great support — quick, 
efficient, and generally knowledgeable about their 
products." 


"It simply works." 


Best Hardware: Workstation 

Editors' Best Community Choice 


Best Hardware: 

Laptop 

Editors' Best 

GOLD: 

Lenovo T400 • Lenovo • www.lenovo.com 

SILVER: 

MacBook Pro • Apple • www.apple.com 

BRONZE: 

EliteBook • HP* www.hp.com 

"The ThinkPad 400 offers familiar ThinkPad 
advantages like a best-in-class keyboard, solid 
build quality, and custom add-in software that 
actually enhances the Windows user experi¬ 
ence. The system is also one of the sleekest, 
lightest, and most elegant notebooks ever 
created. The best news? It's available with an 
optional multi-touch screen, too."— Paul 
Thurrott, news editor, Windows IT Pro 


GOLD: GOLD: 

ThinkStation S20 • Lenovo • www.lenovo.com OptiPlex 760 • Dell • www.dell.com 

SILVER: SILVER: 

OptiPlex 760 • Dell • www.dell.com HP Z800 • HP • www.hp.com 

BRONZE: BRONZE: 

ThinkPad W700 • Lenovo • www.lenovo.com ThinkCentre • Lenovo • www.lenovo.com 


"Designed for intensive tasks such as com¬ 
puter-aided design/engineering, scientific 
applications, and digital content creation, 
Lenovo's ThinkStation S20 is a powerhouse. 
This desktop workstation packs a whopping 
amount of power into an affordable price point 
for any organization."— Douglas Toombs, 
contributor, Windows IT Pro 

"The Lenovo ThinkPad W700 is a monster of a 
portable machine, with a 2.53GHz quad-core 
Intel Core 2 Extreme processorT9300 (6MB, 
1066MHz), 4GB of RAM, a 250GB hard drive, a 
17"screen running at 1920x 1200, and a built- 
in Wacom digitizer."— Paul Thurrott, news editor, 
Windows IT Pro 


"Bulletproof!" 
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Quotes from the Windows IT Pro community 
about Dell's OptiPlex 760 workstations ... 

"Dell makes workstations that are solid performers. 
Great warranty. I've been very lucky with my desk¬ 
tops and had pretty much zero system failures." 

"Inexpensive, high quality, very dependable." 


"Apple's $1,200 13" Macbook Pro is easily the 
highest-quality notebook I've ever used, and 
as a network engineer I've been forced to use 
everything. Its seven-hour battery life is the real 
deal, too, not some trumped-up laboratory-only 
number. I routinely get eight hours of working 
time on my MacBook Pro."— Mel Beckman, 
contributing editor, SQL Server Magazine 

"Now available with SSD drives, LCD backlit 
screens with desktop-worthy screen resolu¬ 
tions, and switchable discreet graphics while 
still featuring the awesome ThinkPad keyboard 
and docking options, the [ThinkPad T-Series] 
packs a punch without weighing you down or 
breaking the bank."— Michael Dragone, contrib¬ 
uting editor, Windows IT Pro 

Community Choice 

GOLD: 

Latitude • Dell • www.dell.com 

SILVER: 

MacBook Pro • Apple • www.apple.com 

BRONZE: 

EliteBook* HP* www.hp.com 

Quotes from the Windows IT Pro community 
about Dell's Latitude laptops ... 

"Exceptionally lightweight with great battery life." 

"Just a terrific combination of features and function¬ 
ality on the road." 

"A sturdy, reliable performer." 

www.windowsitpro.com 



We're in IT with You 
















































Best Hardware: Appliance 


Editors'Best 

GOLD: 

Bomgar Box • Bomgar • www.bomgar.com 

SILVER: 

SA 500 Series Security Appliances • Cisco • www.cisco.com 

BRONZE: 

Barracuda Spam Firewall • Barracuda Networks • 
www.barracudanetworks.com 


Community Choice 

GOLD: 

Cisco ASA 5500 Series • Cisco • www.cisco.com 

SILVER: 

SonicWALL NSA 2400 • SonicWALL • www.sonicwall.com 

BRONZE: 

Barracuda Spam Firewall • Barracuda Networks • 
www.barracudanetworks.com 


"If you need to provide remote support to your 
users on just about any device and don't want 
to use a cloud-based solution, it's hard to beat 
a Bomgar Box. Available in several different 
affordable configurations, it's an overlooked 
device that should be considered."— Michael 
Dragone, contributing editor, Windows IT Pro 

"The Bomgar Box is an appliance preloaded 
with the latest release of the company's 
remote support software. The solution enables 
attended and unattended remote PC access 
with multi-platform support."— Caroline 
Marwitz, associate editor, Windows IT Pro 


Quotes from the Windows IT Pro community 
about Cisco's ASA 5500 series ... 

"One device instead of many devices equals lots of 
extra cash in the budget." 

"It performs exquisitely at so many security tasks." 
"Robust, stable, easy to use." 



Best Hardware: Storage 


Editors' Best 

GOLD: 

Intel SSD drives • Intel • www.intel.com 

SILVER: 

nTier Deduplication appliance • SpectraLogic • 
www.spectralogic.com 

BRONZE: 

DroboPro • Data Robotics • www.drobo.com 


Community Choice 

GOLD: 

EMC CLARiiON • EMC • www.emc.com 

SILVER: 

EqualLogic PS5000 • Dell • www.dell.com 

BRONZE: 

NetApp FAS3100 • NetApp • www.netapp.com 


Best High Availability/ 
Disaster Recovery 
Product 

Editors' Best 

GOLD: 

everRun VM • Marathon Technologies • 
www.marathontechnologies.com 

SILVER: 

DataKeeper Cluster Edition • SteelEyeTechnology • 
www.steeleye.com 

BRONZE: 

Veritas Storage Foundation HA for Windows • Symantec • 
www.symantec.com 

"Marathon Technologies'everRun VM is a 
snap to deploy, is easy to use, and is loaded 
with features. If you need to protect your 
virtual infrastructure from an unforeseen 
mistake or mishap, everRun VM is a great 
choice."— Jeff James, Windows IT Pro 

"I really like the simplified approach that 
everRun VM takes to server availability: The 
completely automated setup and configura¬ 
tion make it a unique product in the arena." 

—Jason Bovberg, senior editor, Windows IT Pro 

Community Choice 

GOLD: 

DataKeeper Cluster Edition • SteelEye Technology • 
www.steeleye.com 

SILVER: 

Veritas Storage Foundation HA for Windows • Symantec • 
www.symantec.com 

BRONZE: 

True Image Echo Server • Acronis • www.acronis.com 


"As the price of SSD drives continues to plum¬ 
met, you'll need to seriously consider taking 
the leap. It's the most worthwhile upgrade you 
can make to any computer system these days, 
and the Intel drives are among the best SSDs 
available."— Michael Dragone, contributing editor, 
Windows IT Pro 

"Intel SSDs—along with the rise of virtualiza¬ 
tion and the boom in iSCSI SAN adoption— 
are undoubtedly contributing to a revolution 
of storage in the enterprise."— Jeff James, 
Windows IT Pro 

"The Drobo is exactly what today's IT pros 
need—automated, easy-to-use backup func¬ 
tionality in the form of a cool gadget."— Jason 
Bovberg, senior editor, Windows IT Pro 


Quotes from the Windows IT Pro community 
about EMC CLARiiON... 

"Easy-to-use, affordable networked storage." 

"The new virtual-aware EMC CLARiiON is perfect for 
my VMware environment." 

"Love the 
expandability." 


Quotes from the Windows IT Pro community 
about Steel Eye's DataKeeper Cluster Edition... 

"A cost-effective and comprehensive DR solution." 

"Very reasonably 
priced for what 
you get." 


Your Top 10 Most Overused IT Buzzwords 

10. "R0I" 

9. "Paradigm" 

8. "Anything -ware: malware, spyware, adware..." 

7. "Robust" 

6. "Virtualize" 

5. "Convergence" 

4. "Green" 

3. "Cloud" 

2. "Web 2.0" 

1. "Tweet" 
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Editors'Best and Community Choice Awards 


Best IT Automation Product 

Editors'Best 


GOLD: 

Automation Anywhere Enterprise • Automation Anywhere • 
www.automationanywhere.com 

SILVER: 

NetlQ Aegis • NetlQ • www.netiq.com 

BRONZE: 

AutoMate 7 • Network Automation • 
www.networkautomation.com 

"Automation Anywhere Enterprise isn't the 
only IT automation product on the market, 
but it's arguably one of the best "—Jeff James, 
Windows IT Pro 

"This best-of-breed solution lets you easily 
design and manage your automation task— 
without the necessity of programming 
knowledge."— Jason Bovberg, senior editor, 
Windows IT Pro 


Editors'Best 

GOLD: 

Centrify Suite 2008 • Centrify • www.centrify.com 

SILVER: 

Splunk • Splunk • www.splunk.com 

BRONZE: 

Quest Authentication Services • Quest Software • www.quest.com 

"If you're a systems administrator in charge of 
managing a diverse assortment of platforms 
and OSs while simultaneously remaining com¬ 
pliant with complex regulatory requirements 
such as HIPAA, SOX, and PCI, you should put 
Centrify Suite 2008 on your shopping list." 

—Jeff James, Windows IT Pro 

"We love Centrify DirectControl. It allows our 
clients to easily integrate their non-Windows 
systems into Active Directory (AD), and we can 
even support AD GPO's on Linux, UNIX, and 
Macs!"— Dustin Puryear, contributor, 
Windows IT Pro 


Community Choke 

GOLD: 

AutoMate 7 • Network Automation • 
www.networkautomation.com 

SILVER: 

Kaseya 6.0 • Kaseya • www.kaseya.com 

BRONZE: 

NetlQ Aegis • NetlQ • www.netiq.com 

Quotes from the Windows IT Pro community 
about Network Automation's AutoMate 7... 

"Automates common IT scripting processes via an 
intuitive, easy-to-use IDE." 

"I can honestly say that this product has streamlined 
and simplified my job." 


Community Choice 

GOLD: 

Quest Authentication Services • Quest Software • www.quest.com 

SILVER: 

GroupLogic ExtremeZ-IP 6.0 • GroupLogic • www.grouplogic.com 

BRONZE: 

Centrify Suite 2008 • Centrify • www.centrify.com 

Quotes from the Windows IT Pro community 
about Quest Authentication Services... 

"Lets us extend AD's security and compliance 
such that identities from UNIX, Linux, and Mac 
platforms and enterprise applications can 
interoperate with AD." 

"Stellar product, 
great support." 


FUN FACT: 

Windows XP Professional had a strong showing 
in the Microsoft category, perhaps indicating that 
Windows 7 adoption won't be as robust as 
Microsoft hopes it will be. What do you think? 

Best Messaging 
Product 

Editors'Best 

GOLD: 

PR0M0DAG Reports for Microsoft Exchange Server 8.5 • 
PR0M0DAG • www.promodag.com 

SILVER: 

Zenprise MobileManager • Zenprise • www.zenprise.com 

BRONZE: 

E-mail Security Platform • Sendio • www.sendio.com 

"PROMODAG remains the gold standard for 
Exchange admins who want to mine message 
tracking logs for data to help them understand 
the volume of messages their servers handle. 
PROMODAG Reports is a great example of 
sustained success because they take a source 
of data that Microsoft has largely ignored and 
use it to provide insight that is compelling and 
valuable for administrators."— Tony Redmond, 
contributing editor, Windows IT Pro 

"As a mature product, PROMODAG Reports 
manages reporting for Exchange quite well. 
The product is simple and it works. It has 
well over 100 reports and certainly includes 
all the reports most requested by customers. 
PROMODAG Reports is an excellent choice 
for SMBs."— William Lefkovics, contributor, 
Windows IT Pro 

Community Choice 

GOLD: 

Skype • Skype • www.skype.com 

SILVER: 

Google Apps • Google • www.google.com 

BRONZE: 

Lotus Notes • IBM • www.ibm.com 

Quotes from the Windows IT Pro community 
about Skype... 

"I've loved Skype since the first day I used it." 

"Free VoIP, anywhere in the world!" 

"In a class 
by itself" 


Your Top 10 Most Encouraging IT Trends 

10. "Software as a Service (SaaS), turnkey solutions, 
less time wasted on infrastructure." 

9. "Dual-core and quad-core computing." 

8. "Increasing power of mobile phones and devices." 

7. "More women in IT." 

6. "Microsoft seems to finally be getting things right again." 
5. "Social networking." 

4. "Open-source acceptance." 

3. "Solid state drives." 

2. "Cloud computing." 

1. "Virtualization." 


Your Top 10 Least Encouraging IT Trends 

10. "Umbrella suites that force you to buy more 
functionality than you need." 

9. "Products released in beta mode." 

8. "Cloud computing." 

7. "Virtualization." 

6. "Leveraging legacy systems while adopting innovation." 
5. "Open-source solutions." 

4. "Social networking." 

3. "Malware." 

2. "Outsourcing." 

1. "Global recession: Pay isn't bouncing back." 


Best Interoperability Product 
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Best Microsoft Product 

Editors'Best 

GOLD: 

Windows Server 2008 • Microsoft • www.microsoft.com 

SILVER: 

SQL Server 2008 • Microsoft • www.microsoft.com 

BRONZE: 

System Center Virtual Machine Manager 2008 • 
Microsoft • www.microsoft.com 

"Windows Server 2008 is undoubtedly 
the best Windows Server product yet, 
and serves as a solid foundation to build 
a Windows IT infrastructure. Server 2008 
R2 promises to make this stand-out 
product an even more stellar performer." 

—Jeff James, Windows IT Pro 

"Microsoft continues to improve the SQL 
Server platform, and SQL Server 2008 should 
help Microsoft continue to make inroads into 
larger and larger enterprise applications." 

—Jeff James, Windows IT Pro 


jr— 



Community Choice 

GOLD: 

Exchange Server 2007 • Microsoft* www.microsoft.com 

SILVER: 

Office 2007 Professional • Microsoft • www.microsoft.com 

BRONZE: 

Windows XP Professional • Microsoft • 
www.microsoft.com 

Quotes from the Windows IT Pro community 
about Microsoft Exchange Server 2007 ... 

"It integrates with everything I do." 

"It's a beast." 


FUN FACT: We limited all Microsoft commerdal 
products to the Best Microsoft Product category. 


Best Network 
Management Product 

Editors'Best 

GOLD: 

Observer 13 • Network Instruments • 
www.networkinstruments.com 

SILVER: 

Orion Network Performance Monitor • SolarWinds • 
www.solarwinds.com 

BRONZE: 

EventSentry • NETIKUS.NET • www.netikus.net 

"Network Instruments continues to be a 
groundbreaker in the realm of network 
management, and its Observer monitoring 
platform—which prides itself on retrospective 
network analysis (essentially a "TiVo for your 
network")—is testament to that. The latest ver¬ 
sion of Observer brings the power of real-time 
analysis to virtualized environments."— Jason 
Bovberg, senior editor, Windows IT Pro 

"If you've ever dreamed of attaining unprec¬ 
edented visibility into your network and the 
devices that connect to it, you need to take a 
look at Observer. This product just keeps get¬ 
ting better."— Jeff James, Windows IT Pro 

Community Choke 

GOLD: 

NetFlow • Cisco Systems • www.cisco.com 

SILVER: 

Orion Network Performance Monitor • SolarWinds • 
www.solarwinds.com 

BRONZE: 

GFI Network Server Monitor • GFI • www.gfi.com 


Best Mobile and Wireless Product 


Quotes from the Windows IT Pro community 
about Cisco Systems' NetFlow ... 


Editors'Best 

GOLD: 

iPhone 3GS • Apple • www.apple.com 

SILVER: 

BlackBerry Bold • Research in Motion • www.blackberry.com 

BRONZE: 

Athena • Odyssey Software • www.odysseysoftware.com 

"Apple has clearly shaken up the smartphone 
industry, and other smartphone vendors are 
struggling to reach parity. Cheaper mobile 
phone solutions exist for the enterprise, but 
none are having as large of an impact on the 
mobile enterprise as the iPhone."— Jeff James, 
Windows IT Pro 

"The iPhone 3GS has terrific fit and finish, the 
web browser is better than anything available 
on any other mobile device platform, and the 
Ul is polished, fast, and easy to learn"— Paul 
Robichaux, contributing editor, Windows IT Pro 


Community Choice 

GOLD: 

iPhone OS 3.0 • Apple • www.apple.com 

SILVER: 

BlackBerry Enterprise Server • Research in Motion • 
www.blackberry.com 

BRONZE: 

AstraSync for BlackBerry -MailSite Software • 
www.mailsite.com 

Quotes from the Windows IT Pro commu¬ 
nity about Apple's iPhone OS 3.0... 

"It's the best mobile OS by far." 

"An even better fit for the enterprise." 


"More a standard now than a product, it's just the 
essential information at the heart of network traffic!' 


"Industry standard." 



FUN FACT: The Apple iPhone and Apple MacBook Pro received a healthy number of votes 
from Windows-based IT pros. Is the Mac making surprising headway in the enterprise? 
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Best Patch Management Product 


Editors' Best 

GOLD: 

Shavlik NetChk Protect • Shavlik • www.shavlik.com 

SILVER: 

ZENworks Patch Management* Novell • www.novell.com 

BRONZE: 

Numara Patch Manager • Numara Software • 
www.numarasoftware.com 

"Shavlik NetChk Protect does a terrific job of 
automating the patch process, and its sched¬ 
uler is particularly effective, discovering and 
deploying patches while constantly monitor¬ 
ing system needs"— Jason Bovberg, senior editor, 
Windows IT Pro 

"Whether you need patch management, 
asset management, or security management, 
Shavlik NetChk Protect makes your job easier 
by automating your troubleshooting efforts. 
Today's less-is-more IT departments need this 
kind of tool to handle these types of tasks." 

—Jeff James, Windows IT Pro 


Community Choice 

GOLD: 

Patch Authority Ultimate • ScriptLogic • www.scriptlogic.com 

SILVER: 

ZENworks Patch Management • Novell • www.novell.com 

BRONZE: 

Prism Patch Manager • New Boundary Technologies • 
www.newboundary.com 

Quotes from the Windows IT Pro community 
about Script Logic's Patch Authority Ultimate .. 

"For the enterprise, there's just nothing more com¬ 
plete." 

"Lets you accomplish everything you need to do 
from one central Ul." 



Best Scripting Tool 


Editors' Best 

GOLD: 

PowerShell Plus Professional Edition • Idera • www.idera.com 

SILVER: 

PrimalForms 2009 • Sapien Technologies • www.sapien.com 

BRONZE: 

WMIX 2.0 • PJ Technologies • wmix.pjtec.com 

"PowerShell Plus has features that all types of 
administrators can use, no matter the type of 
systems they manage or how well-versed they 
are in PowerShell. It's a well-rounded IDE."— 

Karen Bemowski, senior editor, Windows IT Pro 

"PowerShell Plus is simply the most effec¬ 
tive IDE available. Even if you're a PowerShell 
expert, you'll benefit from this product's pow¬ 
erful console and script debugger."— Jeff James, 
Windows IT Pro 


Community Choice 

GOLD: 

PowerShell Plus Professional Edition • Idera • www.idera.com 

SILVER: 

TextPad • Helios Software Solutions • www.textpad.com 

BRONZE: 

UltraEdit - IDM Computer Solutions* www.ultraedit.com 

Quotes from the Windows IT Pro community 
about Idera's PowerShell Plus ... 

"The library of sample solutions is great to jumpstart 
some necessary administrative tasks." 

"Best-of-breed IDE for PowerShell. It's a must-have 
for PowerShell users." 

"Best debugging and code completion for Power- 
Shell scripts. Period." 


FUN FACT: Windows 7 was ineligible for this year's Editors'Best and Community Choice awards because it wasn't 
released at press time. However, just for fun, we included it as a choice in our voting, and it took the top prize in the 
Best Microsoft Product category, suggesting that it's got a lot of buzz building in its pre-release state. Contribut¬ 
ing editor Michael Dragone says, "If you skipped Windows Vista, as the majority of the IT world did, you might be 
approaching Windows 7 with some hesitation. Don't. Windows 7 is polished and ready for enterprise prime-time." 
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Best Security Product 

Editors'Best 

GOLD: 

Likewise Open 5.1 • Likewise • www.likewise.com 

SILVER : 

F5 BIG-IP Local Traffic Manager 10.0 • F5 • www.f5.com 

BRONZE: 

HP ProtectTools • HP • www.hp.com 

"Likewise Open is a nice Windows, UNIX, 

Linux, Mac integration product allowing 
for centralized security management from 
Active Directory and Enterprise single sign-on 
(ESSO)."— Jan De Clercq, contributing editor, Win¬ 
dows IT Pro 

"Likewise Open is a treat to the networking 
community. The software lets Linux and UNIX 
systems authenticate to an Active Directory 
server and is capable of providing single sign- 
on (SSO) functionality."— Mark Joseph Edwards, 
senior contributing editor, Windows IT Pro 

Community Choke 

GOLD: 

Symantec Endpoint Protection • Symantec • 
www.symantec.com 

SILVER: 

GFI EndPointSecurity • GFI • www.gfi.com 

BRONZE: 

Citrix Access Gateway • Citrix • www.citrix.com 

Quotes from the Windows IT Pro community 
about Symantec Endpoint Protection ... 

"It's got the most complete assemblage of function¬ 
ality and innovation." 

"Best in class. I use it every day and have never had 
a virus." 

"Most comprehensive endpoint security solution on 
the market today." 

www.windowsitpro.com 
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Best SharePoint Product 

Editors' Best 

GOLD: 

ControlPoint for SharePoint • Axceler • www.axceler.com 

SILVER: 

Professional Archive Manager for SharePoint • Metalogix • 
www.metalogix.net 

BRONZE: 

NearPoint for SharePoint • Mimosa Systems • 
www.mimosasystems.com 

"ControlPoint helps IT pros get better control 
of their SharePoint environment through per¬ 
missions management, content management, 
in-depth usage analysis, policy enforcement, 
and flexible alerts and scheduled analyses." 

—Jeff James, Windows IT Pro 

"ControlPoint helps you manage and moni¬ 
tor large farms effectively and integrates well 
with the existing SharePoint Ul; the ability 
to manage user permission levels is nicely 
implemented."— CurtSpanburgh, contributing 
editor, Windows IT Pro 


Commnity Choice 

GOLD: 

Site Administrator for SharePoint • 

Quest Software • www.quest.com 

SILVER: 

Colligo Contributor Pro • 

Colligo Networks* 
www.colligo.com 

BRONZE: 

CorasWorks Workplace Suite 10 • 

CorasWorks • 
www.corasworks.com 

Quotes from the Windows IT Pro community 
about Quest Software's Site Administrator for 
SharePoint ... 

"Has helped me completely understand and man¬ 
age my entire SharePoint environment." 

"For SharePoint management of servers and sites, it's 
the best and most comprehensive product out there." 


Best Systems 
Management Product 

Editors'Best 

GOLD: 

Double-Take Move • Double-Take • www.doubletake.com 

SILVER: 

Prowess SmartDeploy Enterprise • Prowess • 
www.smartdeploy.com 

BRONZE: 

GPOADmin with netPro NetControl • Quest Software* 
www.quest.com 

"Double-Take Move is an impressive, no-fuss 
solution that has all bases covered; it eliminates 
the hazards associated with migration to new 
hardware, uses mature technology with support 
for locked files, is hardware independent, and 
even captures NTFS alternate data streams and 
transactions. Applications and users can stay 
online during migration and experience only a 
short disruption in service during cutover." 

—Russell Smith, contributor, Windows IT Pro 

"SmartDeploy overcomes one of the major 
drawbacks of standard disk-imaging solutions— 
having to create a master image for each hard¬ 
ware platform—by providing Platform Packs 
to download at no additional cost."— EricB. Rux, 
contributing editor, Windows IT Pro 

Community Choice 

GOLD: 

Altiris Client Management Suite • Symantec • 
www.symantec.com 

SILVER: 

Desktop Authority • ScriptLogic • www.scriptlogic.com 

BRONZE: 

HP Operations Manager • HP • www.hp.com 

Quotes from the Windows IT Pro community 
about Symantec's Altiris Client Management 
Suite ... 

"Out of all the vendors we considered, Symantec 
offered the most comprehensive capabilities." 

"By far the best in the market for multi-platform, 
multi-device client management." 

"Industry leader." 


Best System Utility 

Editors'Best 

GOLD: 

Diskeeper 2009 • Diskeeper • www.diskeeper.com 

SILVER: 

Norton System Works Basic Edition 12.0 • 
Symantec • www.symantec.com 

BRONZE: 

GFI Network Server Monitor • GFI • www.gfi.com 

"Diskeeper does its job well. It defragments 
in the background without hurting system 
performance and doesn't require defrag¬ 
mentation scheduling."— Zac Wiggy, assistant 
editor, Windows IT Pro 

"Diskeeper 2009 is loaded with features, 
works as advertised, and can bring the most 
choppy and fragmented hard drive back to 
silky-running smoothness." 

—Jeff James, Windows IT Pro 



Community Choice 

GOLD: 

Norton SystemWorks • Symantec • 
www.symantec.com 

SILVER: 

Diskeeper 2009* Diskeeper* 
www.diskeeper.com 

BRONZE: 

Acronis Disk Director • Acronis • www.acronis.com 


Quotes from the Windows IT Pro community 
about Symantec's Norton SystemWorks ... 

"I had a sluggish, mostly unresponsive computer, 
and after letting Norton SystemWorks loose on it, 
the system is now as fast as it used to be." 

"I've always had great luck with Norton products." 


& Norton 

SystemWorks 
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Editors'Best and Community Choice Awards 


Best Free or Open 
Source IT Tool 



Editors'Best 

GOLD: 

Spiceworks • Spiceworks • www.spiceworks.com 

SILVER: 

PowerGUI • Quest Software • www.powergui.org 

BRONZE: 

Truecrypt - Truecrypt • www.truecrypt.com 

"Spiceworks is arguably the best of a new 
breed of free, web-based services for IT 
pros that combine impressive feature sets 
with active, online communities"— Jeff 
James, Windows IT Pro 

"Designing and configuring a full-blown 
SNMP-based network management sys¬ 
tem (NMS) console can be an expensive 
and time-consuming process. Spiceworks 
eliminates the tedium and lowers the up¬ 
front cost by delivering an NMS console 
as a web service hosted offsite."— Mel 
Beckman, contributing editor, SQL Server 
Magazine 

"There are a lot of PowerShell scripting and 
GUI tools on the market these days, but 
PowerGUI remains one of the best, and it's 
free!"— Jeff James, Windows IT Pro 

Community Choke 

GOLD: 

Sysinternals Suite • Microsoft • www.microsoft.com 

SILVER: 

Adobe Reader • Adobe • www.adobe.com 

BRONZE: 

AVG Free • AVG Technologies • www.avg.com 

Quotes from the Windows IT Pro community 
about Microsoft's Sysinternals Suite ... 

"You might not need all of these tools, but the 
ones you do need are absolutely essential." 

"No IT pro can afford to be without these tools." 
"A must-have collection for the serious admin." 


Best Training and Certification Product or Service 


Editors'Best 

GOLD: 

LabSim -TestOut • www.testout.com 

SILVER: 

Train Signal Computer Training Videos-Train Signal • 
www.trainsignal.com 

BRONZE: 

PrepLogic eLearning Videos • PrepLogic • www.preplogic.com 

"TestOut's LabSim is a true innovator in the IT 
training and certification space. Newcomers to 
the field can gain a level of hands-on experi¬ 
ence on or off campus unlike ever before, and 
seasoned professionals have easy access to 
skills-based online training to earn additional 
certifications or degrees."— Brian Reinholz, 
production editor, Windows IT Pro 

"The thing I like most about PrepLogic's cer¬ 
tification practice exams, like Network-i- 2009 
practice exam, is the answers. You're not going 
to get feedback like'C is the correct answer.' 
Instead, the exams explain why the correct 
answers are right and why the incorrect answers 
are wrong. It's a real learning experience." 
—Tom Carpenter, contributor, Windows IT Pro 


Community Choice 

GOLD: 

Train Signal Computer Training Videos • Train Signal • 
www.trainsignal.com 

SILVER: 

LabSim • TestOut* www.testout.com 

BRONZE: 

Global Knowledge ITTraining Classes • Global Knowledge • 
www.globalknowledge.com 

Quotes from the Windows IT Pro community 
about Train Signal's training videos ... 

"Train Signal videos are definitively the building 
blocks of creating a solid foundation when learning 
a technology such as Exchange 2007." 

"Very polished, 
excellent 
instruction." 


Best Virtualization Product 


Editors'Best 

GOLD: 

VMware vSphere 4 • VMware • www.vmware.com 

SILVER: 

NxTop*Virtual Computer*www.virtualcomputer.com 

BRONZE: 

Citrix XenServer 5.5 • Citrix • www.citrix.com 

"VMware vSphere 4 has a lot of nice new 
features, but you can justify the upgrade by 
the increase in performance alone. We're 
seeing performance increases of 20 to 30 
percent and in some cases even higher 
depending on the application with the same 
hardware."— Alan Sugano, contributing editor, 
Windows IT Pro 

"It's evolved into such 
product!" 

"NxTop is a complete end-to-end solution 
that allows you to create and deploy VMs to 
systems with a management console that 
helps you keep track of who has what. It also 
has a remote swipe option so that if a system 
gets stolen and boots up and connects, 
the VM evaporates."— J. Peter 
Bruzzese, contributor, Windows IT Pro 


Community Choice 

GOLD : 

VMware ESX Server 3.5 • VMware • www.vmware.com 

SILVER: 

Endpoint Virtualization Suite • Symantec • 
www.symantec.com 

BRONZE: 

Citrix XenServer • Citrix • www.citrix.com 

Quotes from the Windows IT Pro community 
about VMware ESX Server 3.5... 

"Simply the most important, sophisticated virtual¬ 
ization product on the market." ^ 

InstantDoc ID 102984 


a mature virtualization 


Your Top 10 Favorite IT Websites 

10. Google (www.google.com) 

9. Major Geeks (majorgeeks.com) 

8. Microsoft TechNet (technet.microsoft.com) 

7. The Register (www.theregister.co.uk) 

6. Server Fault (www.serverfault.com) 

5. Slashdot (slashdot.org) 

4. Windows IT Pro (www.windowsitpro.com) 

3. GPAnswers.com (www.gpanswers.com) 

2. The CodeProject (www.codeproject.com) 

1. Experts Exchange (www.experts-exchange.com) 
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CUTTING-EDGE CONTENT • EXPERT SPEAKERS • GREAT LOCATION 


SharePdihtPro 


2010 SUMMIT & EXPO 


MARCH 16-19, 2010 * LAS VEGAS BELLAGIO 


f 2070 


sessions 


> Dive into SharePoint 2010 with industry experts 


> Get the insiders scoop at cutting-edge Microsoft keynotes 


Steve Fox 

Microsoft 


> Explore the best migration path to SharePoint 2010 


> Expand your social network and build valuable relationships 


> Visit the expo hall for new products and services 


Thomas Rizzo 

Microsoft 


Hear from: Andrew Connell, 
Todd Klindt, Dan Holme, 
Scot Hillier and others 


www.SharePointProSummit.com 

203 - 400-6121 OR CALL TOLL FREE AT 800 - 438-6720 


Microsoft DevGonnections 

magazine 


SharePointPro 

CONNECTIONS 
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PENTON MEDIA 
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Dive Into Microsoft SharePoint 2010 


with Microsoft and Industry Experts! 




^to Attend 


FEATURED SPEAKERS 



THOMAS RIZZO STEVE FOX ANDREW CONNELL 

MICROSOFT MICROSOFT CRITICAL PATH TRAINING, LLC 



TED PATTISON DAN HOLME TODD BAGINSKI 

CRITICAL PATH TRAINING, LLC INTELLIEM, INC. ADVAIYA, INC. 



ROBERT BOGUE KIRK EVANS SCOT HILLIER 

THOR PROJECTS MICROSOFT SCOT HILLIER TECHNICAL 


SOLUTIONS, LLC 



JOHN HOLLIDAY TODD KLINDT, MICHAEL NOEL 

JOHN HOLLIDAY & SHAREPOINT911 CONVERGENT 

ASSOCIATES, INC. COMPUTING 



ASIF REHMANI 

SHANE YOUNG 

SHAREPOINT 

SHAREPOINT911 

ELEARNING.COM 



■ Celebrate the launch 
of SharePoint 2010 with 
members of the teams 
that built the products. 


■ Find out from industry 
insiders the best migration 
path if your company is 
considering an upgrade. 


■ Listen to Microsoft discuss 
the many enhancements 
and new features of 
SharePoint 2010. 


■ Find products and services 
from our partners in the Expo 
Hall that can save money, 
save time, and help your 
business do more. 


■ Book your hotel early and 
take advantage of GREAT 
hotel rates at the world 
famous Bellagio. Register 
by the early bird date and 
get a $100 Bellagio gift 
certificate. 


■ Unwind in Vegas and make 
new friends! You know what 
they say about Vegas... 


■ Enjoy the excitement and 
luxury of one of Las Vegas’ 
premiere hotels. Enjoy some 
of the best dining in the 
culinary world, famous 
Vegas shows, fine shopping, 
the famous fountains of 
the Bellagio, the gallery of 
fine art, the World-famous 
Shadow Creek golf course 
and the 24/7 buzz of the 
casino. 


Register Today! 

Call 800-438-6720 
www.SharePointProSummit.com 



















SAMPLING OF SESSIONS 
PRESENTED BY MICROSOFT 
SPEAKERS. 

Please check Web site as we add more 
sessions that are currently under NDA. 

OVERVIEW OF MICROSOFT SHAREPOINT 
2010 FOR THE DEVELOPER 

INTRODUCTION TO SHAREPOINT 
DEVELOPMENT WITH VISUAL 
STUDIO 2010 

DEVELOPING BUSINESS INTELLIGENCE 
SOLUTIONS WITH SHAREPOINT 2010 

OVERVIEW OF ENTERPRISE CONTENT 
MANAGEMENT IN SHAREPOINT 2010 

WEB CONTENT MANAGEMENT 
IMPROVEMENTS IN SHAREPOINT 2010 

ENHANCING THE SHAREPOINT 2010 USER 
EXPERIENCE THROUGH SILVERLIGHT 

OVERVIEW OF HOW TO INTEGRATE 
CUSTOM OFFICE SOLUTIONS WITH 
SHAREPOINT 2010 

OVERVIEW OF SHAREPOINT 2010 ONLINE 

OVERVIEW OF SHAREPOINT 2010 FOR 
THE IT PROFESSIONAL 

SOCIAL COMPUTING ENHANCEMENTS IN 
SHAREPOINT 2010 

OVERVIEW OF ENTERPRISE SEARCH IN 
SHAREPOINT 2010 

SHAREPOINT DEVELOPMENT 
APPLICATION LIFECYCLE MANAGEMENT 


UPGRADING & EXTENDING SHAREPOINT 
2007 WCM SITES WITH SHAREPOINT 
SERVER 2010 WEB CONTENT 
MANAGEMENT ANDREW CONNELL 

INTERACTING WITH SHAREPOINT 2010 
OFF THE SERVER: INTRODUCING THE 
CLIENT OBJECT MODEL 
ANDREW CONNELL 

CUSTOMIZING SHAREPOINT 2010 
ENTERPRISE CONTENT MANAGEMENT 
DOCUMENT SETS ANDREW CONNELL 

INTRODUCTION TO SHAREPOINT 
DESIGNER 2010: TOP 10 GREAT THINGS 
TO KNOW! ASIFREHMANI 


Sessions and speakers are subject to change. 
Check the Web site for details. 


OVERVIEW: CREATING WORKFLOWS WITH 
SHAREPOINT DESIGNER 2010 r INFOPATH AND 
VISIO ASIFREHMANI 

GENERATE AND PUBLISH ELECTRONIC 
FORMS ON YOUR INTRANET USING INFOPATH 
2010... NO CODE REQUIRED! 

ASIF REHMANI 

INDUSTRIAL STRENGTH RECORDS 
MANAGEMENT IN SHAREPOINT 2010 
JOHN HOLLIDAY 

PROGRAMMING BUSINESS CONNECTIVITY 
SERVICES SOLUTIONS IN OFFICE 2010 
JOHN HOLLIDAY 

EXTENDING THE VISUAL STUDIO 2010 
SHAREPOINT TOOLS TED PATTISON 

SECURITY CHANGES AND ENHANCEMENTS IN 
SHAREPOINT 2010 TED PATTISON 

BEST PRACTICES FOR ACCESSING 
SHAREPOINT 2010 LIST DATA 
SCOT HILLIER 

USING BUSINESS CONNECTIVITY SERVICES 
TO ACCESS EXTERNAL SYSTEMS WITH 
SHAREPOINT 2010 SCOT HILLIER 

CREATING SEARCH-BASED SOLUTIONS WITH 
SHAREPOINT 2010 SCOT HILLIER 

CREATING CUSTOM OFFICE BUSINESS 
APPLICATIONS WITH BUSINESS 
CONNECTIVITY SERVICES AND THE 
SHAREPOINT CLIENT OBJECT MODEL 
TODD BAGINSKI 

HOW TO CREATE A YOUTUBE-LIKE 
APPLICATION IN SHAREPOINT WITH THE 
DIGITAL ASSETS LIBRARY - WITHOUT 
WRITING ANY MANAGED CODE! 

TODD BAGINSKI 

SHAREPOINT 2010 DEVELOPER BEST 
PRACTICES KIRK EVANS 

DEVELOPING ADVANCED SHAREPOINT 2010 
WORKFLOWS WITH VISUAL STUDIO 2010 
KIRK EVANS 

APPLICATION LIFECYCLE MANAGEMENT WITH 
SHAREPOINT 2010 AND TEAM FOUNDATION 
SERVER 2010 KIRK EVANS 

DESIGNING GOVERNANCE: HOW 
INFORMATION MANAGEMENT AND SECURITY 
MUST DRIVE YOUR DESIGN DAN HOLME 

SHAREPOINT TAKES THE GOLD IN TORINO, 
BEIJING AND VANCOUVER BROADCASTS 
DAN HOLME 

DRIVING VALUE AND END USER ADOPTION 
WITH SHAREPOINT AND OFFICE CLIENT 
SOLUTIONS DAN HOLME 


ARCHITECTING A HIGH PERFORMANCE AND 
FAULT TOLERANT SHAREPOINT 2010 FARM 
MICHAEL NOEL 

PLANNING FOR HIGHLY SCALABLE 
SHAREPOINT 2010 CONTENT DATABASES 
MICHAEL NOEL 

CONFIGURING SHAREPOINT 2010 
AUTHENTICATION FOR EXTRANETS 
MICHAEL NOEL 

PROTECTING YOUR SHAREPOINT 2010 
CONTENT WITH SQL SERVER 2008 
TRANSPARENT DATABASE ENCRYPTION 
MICHAEL NOEL 

SHAREPOINT SITE LIFECYCLE-CREATING 
AND ARCHIVING SITES ROBERT BOGUE 

PROTECTING YOUR SHAREPOINT 
ENVIRONMENT FROM THE EVIL DEVELOPERS 
-QUOTAS, SANDBOXES, AND QUERIES 
ROBERT BOGUE 

BACKUP/RESTORE, POWERSHELL WITH 
SHAREPOINT ROBERT BOGUE 

BEGINNING YOUR ADMINISTRATIVE JOURNEY 
WITH SHAREPOINT 2010 
SHANE YOUNG & TODD KLINDT 

CONTINUING YOUR ADMINISTRATIVE 
JOURNEY WITH SHAREPOINT 2010 
SHANE YOUNG & TODD KLINDT 

ADMINISTRATION OF SHAREPOINT 2010 
USING POWERSHELL, THE NEW COOLNESS 
SHANE YOUNG & TODD KLINDT 

SHAREPOINT 2010 ADMINS AND THE DBA 
DUTIES THEY HATE 

SHANE YOUNG & TODD KLINDT 

...and more 

MARCH 16,2009 9AM - 4PM 

PRECON WORKSHOP: SHAREPOINT 
COLLABORATION JUMP START 
DAN HOLME 

PRECON WORKSHOP: BUILDING 
COMPOSITE APPLICATIONS USING 
SHAREPOINT DESIGNER 2010 
AND THE BCS 
RAYMOND MITCHELL 

PRECON WORKSHOP: DEEP DIVE INTO 
SHAREPOINT 2010 WORKFLOWS 
ROBERT BOGUE 

PRECON WORKSHOP: SHAREPOINT 
SERVER 2010: FARM UPGRADE AND 
WHAT'S NEW FOR EXPERIENCED 
SHAREPOINT ADMINS 
SHANE YOUNG & TODD KLINDT 


March 16-19, 2010 | Las Vegas, NV | Register Today! 
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VirtualizationPro 

2010 SUMMIT & EXPO 


Steve Mel Michael Dan 

Riley Beckman Otey Holme 


John Alan 

Savill Sugano 


Whether you're already working 
with virtualization or the 
technology is in your future plans, 
the VirtualizationPro 2010 Summit & 
Expo is your destination for 
learning everything you need to 
deploy, configure, secure, 
optimize, and manage 
virtualization technology. 


Participate in technical in-depth sessions and workshops on: 


• VDI and desktop virtualization 

• Server virtualization 

• Application virtualization 

• Virtualized storage 


• High availability and 
disaster recovery 

• The dynamic data center 

• And more! 


Get the whole picture on the Microsoft Hyper-V and 
VMware solutions, including product comparisons 


www.VirtualizationProSummit.com 

800-438-6720 or 203-400-6121 

















SOLUTIONS 


Plan and Execute an 

Active 
Directory 
Merger Part2 


PROBLEM: 

You need to merge the Active 
Directory and Exchange Server 
infrastructures from two 
companies. 

SOLUTION: 

Use the Active Directory 
Migration Tool (ADMT) to move 
users and computers from 
the smaller company to the 
larger one, then use Exchange 
Server's native migration 
wizard to move mailboxes to a 
new Exchange organization in 
the new company. 

WHATYOU NEED: 

ADMT, the Inter-Organization 
Replication tool, Microsoft 
Exchange Server Exchange 
Profile Redirector (ExProfRe 
.exe), network connectivity 
between the two sites 


When your prep work is done, 
let the migration begin 


SOLUTION STEPS: 

1. Prepare for merger as 
described in "Plan and 
Execute an Active Directory 


by Eric B. Rux 

Y our company has just joined 
with another company, and 
suddenly you find yourself 
needing to combine your IT 
infrastructures. In "Plan and 
Execute an Active Directory 
Merger, Part 1” (October 2009, InstantDoc 
ID 102596), I described a scenario in which 
the smaller company's domain, Old.local, 
was being merged into the larger company's 
domain, New.local. You can follow the steps 
in that article to prepare for your migration. 
Now it's time to start merging the Active 
Directory (AD) and Exchange Server net¬ 
works of the two companies. 

Migrate the Users and PCs 

If you've performed all the preparation 
outlined in Part 1, you should now be ready 
to migrate the AD objects from the Old 
.local domain to the New.local domain. It's 
important that you go slowly so that you 
have time to work through any problems 
that arise. When you're ready, start by mov- 



Merger, Part 1" (October 
2009, InstantDoc ID 102596). 

2. Migrate users and PCs by 
using ADMT's wizards. 

3. Copy Exchange mailboxes 
into a new Exchange 
organization, and forward 
mail to the new location. 

4. Migrate public folders. 

5. Configure Outlook to find 
the new Exchange server. 


DIFFICULTY: 


o 
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ing yourself, then move on to the other users 
and computers in the IT department. If you 
start with yourself, you'll be sure to have all 
of the kinks worked out before migrating the 
rest of the company. 

The first time you attempt to migrate an 
object from one domain to the other, the 
Active Directory Migration Tool (ADMT) 
prompts you for some additional setup tasks 
that ADMT will take care of for you. Accept 
the pop-ups so that auditing will be turned 
on, and so that a special group, Domain$$$, 
can be created. After the first time you 
migrate an object, you won't be prompted 
for these actions again. 

To migrate users, follow these steps: 

1. Log on to the dedicated migration 
server created in Part 1 and open ADMT. 

2. Right-click Active Directory Migra¬ 
tion Tool and choose User Account Migra¬ 
tion Wizard, as Figure 1 shows. 

3. Enter the source and target domains. 
The domain controllers (DCs) you choose 
should have fast connections to each other. 

4. Select the users from the domain. 
Because the user objects are copied, not 
moved, I suggest migrating the users in 
large groups or even all at once. 

5. Select the target organizational unit 
(OU) that users will reside in on the new 
domain. 

6. Migrate passwords. Note that the 
Password Export Server (PES) setup per¬ 
formed in Part 1 is required to migrate 
passwords. Also, ensure that the PES ser¬ 
vice is running on the source DC; this NT 
Service is set to Manual by default. 

7. Set Target Account State to Target 
same as source. You can also choose to dis¬ 
able the accounts from the source domain 
if you want to prevent the users from log¬ 
ging on to the old domain. 

8. Be sure to check the Migrate user 
SIDs to target domains check box. This is a 
very important step. 

9. Enter the domain administrator and 
password for the source domain. 

10. Select the Update user rights and Fix 
users' group memberships check boxes on 
the Group Options page of the wizard. 

11. Don't exclude any properties on the 
Group Object page of the wizard—leave all 
check boxes cleared. 


1 ’Tm Active Directory Migration Tool 
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Figure 1: Launching the User Account Migration Wizard 
from ADMT 


12. Don't migrate the source 
object if there's a conflict. 


The migration takes only a 
few seconds for each user object; 
when migration is complete, you 
get a report showing the number 
of objects that were examined 
and copied as well as any that 
had errors. After you migrate 
a few users, verify that the SID 
History attribute was populated 
correctly by viewing users' prop¬ 
erties in ADSI Edit; you can see 
an example in Part 1. 

After the users have been 
migrated, you can migrate their 
computers. Keep in mind that 
user migration copies data to 
the new domain but computer 
migration moves data to the new domain. 
For this reason, you need to plan the move 
to the new domain ahead of time and com¬ 
municate it well with your users. It might be 
a good idea to briefly explain to them what 
you are doing. Give them a screen shot of 
how to log on to the new domain to ensure 
they log on to New.local. 

Follow these steps to migrate machines 
to the new domain: 

1. Move the computer object in the 
Microsoft Management Console (MMC) 
AD Users and Computers snap-in to your 
special MigrationPrep OU, then reboot the 
PC. As you'll recall from Part 1, this proce¬ 
dure turns off the Windows Firewall and 
adds the appropriate users or groups to the 
Local Administrator Group. 

2. Log on to the migration server and 
open ADMT. 

3. Right-click Active Directory Migra¬ 
tion Tool, and choose Computer Migration 
Wizard. 

4. Enter the source and target domains. 

5. Select the computers you want to 
migrate from the domain. I recommend 
migrating only one computer the first few 
times until you're comfortable with the 
process. In my experience, a team of two 
people can migrate a group of 30 comput¬ 
ers in about an hour (assuming that the 
computers are close together). You'll have 
to experiment to see what works for you. 


6. Select the target OU that the comput¬ 
ers will reside in on the new domain. I cre¬ 
ate a MigratedPC OU to keep track of these 
machines. 

7. Don't select any of the check boxes 
on the Translate Objects screen. We'11 
translate the computer's security to the 
new domain in a separate step. 

8. Leave the Replace check box selected 
for Security Translation Options. Click OK 
to open the User Rights Translate in Add 
Mode Only dialog box. 

9. Choose a value for Minutes before 
computer restart after wizard completion. 
This setting gives users a warning before 
their computer is rebooted. 

10. Don't exclude any properties on the 
Group Object wizard page—leave all check 
boxes cleared. 

11. Don't migrate the source object if 
there's a conflict. 

12. Click Finish. 

13. Check for and resolve errors on the 
Migration Progress page by viewing the 
error log. 

Up to this point, migrating computers 
is very similar to migrating users. How¬ 
ever, after the computer object in AD has 
been copied to the new domain, there's 
one additional step to complete: The 
computer needs to be joined to the New. 
local domain. You can do this manually 
or you can let ADMT do it for you. After 
the objects have been copied, click Close 
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Figure 2: Specifying the source server in the Exchange Server Migration 
Wizard 


on the Migration Progress 
window in ADMT, which 
will bring up the Active 
Directory Migration Tool 
Agent Dialog that lets you 
remotely add multiple 
computers to the new 
domain. 

14. In the Active Direc¬ 
tory Migration Tool Agent 
Dialog, run the pre-check 
by clicking Start. The two 
most common reasons the 
pre-check fails are firewall 
and permissions problems. 

15. If the pre-check 
passes, select Run pre-check 
and agent operation and 
click Start to add the computer to the new 
domain and reboot it. Be sure that you've 
communicated with your users so that you 
don't surprise them. 

There's still one more process to run. 
Before users log on for the first time, run the 
Security Translation Wizard using ADMT. 
This wizard updates the security settings 
on the workstation; any file or folder that 
was assigned an oldYuser permission will 
be changed to new\user. Users' profiles are 
also translated to the New.local domain. If 
users log on to a computer before you run 
the security translation, a new profile is cre¬ 
ated and all of their settings are left in the old 
profile. If this happens, don't panic. Simply 
log on as a user with local administrator 
privileges, delete the new profile, then run 
the Security Translation Wizard. 

Use the following steps to run the Secu¬ 
rity Translation Wizard: 

1. Right-click Active Directory Migra¬ 
tion Tool and choose Security Translation 
Wizard. 

2. Choose Previously migrated objects. 

3. Enter the source and target domains. 

4. Select the computers you just 
migrated from the new domain. If you cre¬ 
ated a MigratedPC OU for use in the prior 
step 6, they'll be easy to find. 

5. Select the target OU under the new 
domain. 

6. Leave all of the check boxes checked 
on the Translate Objects page of the wizard. 

7. Select the Add option on the Security 
Translation Options wizard page. 


8. Don't exclude any properties on the 
Group Object wizard page—leave all check 
boxes cleared. 

9. Select the Do not migrate source 
object if there is a conflict check box. 

10. Click Finish. 

11. Wait for the Active Directory Migra¬ 
tion Tool Agent Dialog window to open. 

12. Choose one computer to migrate for 
testing purposes and run the pre-check by 
clicking Start. This can take a minute. 

13. If the Pre-check passes, choose Run 
pre-check and agent operation, then click 
Start. 

After all users and their computers have 
been migrated to the new domain, you can 
perform the migration of the servers and any 
associated service accounts. This process is 
similar to migrating users and computers. 
ADMT has a Service Account Migration Wiz¬ 
ard, but I found it easier to migrate the service 
accounts like typical users, then manually 
fix the NT services (e.g., SLQ Server service). 
If you have a lot of servers with service 
accounts, using the Service Account Migra¬ 
tion Wizard might be worth your time. 

Copy the Exchange Mailboxes 

Unlike the users' computers and the back- 
office servers, you don't want to migrate 
your Exchange servers to the new domain. 
Modern versions of Exchange are deeply 
integrated with AD. If you migrated the 
Exchange organization to the New.local 
domain, there would be no way for you to 
connect the mailboxes in the mail store to 


the user objects in AD. Instead 
of migrating Exchange servers, 
you'll want to copy the indi¬ 
vidual mailboxes from the old 
Exchange organization to a new 
Exchange organization in the 
New.local domain. 

Exchange 2003 and later 
have a built-in migration wizard 
that does a great job of copy¬ 
ing multiple mailboxes from 
one Exchange organization to 
another—even if they're in dif¬ 
ferent AD forests. Here's the 
simple procedure for copying 
from one Exchange 2003 orga¬ 
nization to another Exchange 
2003 organization: 

1. Log on to an Exchange server in the 
New.local domain. 

2. Click Start, Microsoft Exchange, 
Deployment, Migration Wizard. 

3. Choose Migrate from Microsoft 
Exchange. 

4. Choose the destination server and 
Information Store where you want the 
mailboxes to be migrated. 

5. Clear the check box for Exchange 
5.5 server, and enter the information for 
the source Exchange server. Note that you 
must enter the administrator account as 
domainYuser, as Figure 2 shows. 

6. Specify a date range (if applicable). 

7. Choose one or more mailboxes that 
you want to migrate. You can select all, or 
select individual mailboxes by using the 
Ctrl key. 

The mailboxes then start to copy from 
the old domain to the new one. Depending 
on the size of each user's mailbox, this pro¬ 
cess can take anywhere from a few minutes 
to a couple of hours (or even days). I've 
also noticed a big difference in a defragged 
Information Store versus a fragmented one. 
For example, if you take an empty mailbox 
and send 3,000 messages to it, it will migrate 
in just a few minutes. However, a well-used 
mailbox that has 3,000 messages that have 
been received over the past year will take sig¬ 
nificantly longer because the messages aren't 
contiguous (written one after the other) in 
the Information Store. Other factors such 
as system and network performance can 
also greatly affect the speed of the mailbox 
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Figure 3: Using Active Directory Users and Computers to find a bad SMTP 
address after migration 


copy, so be sure to run a few 
tests with mailboxes so you'll 
have an idea of how long this 
process will take. 

Prep and Go 

Email is an essential part of 
business communications, 
so you'll want to be extra 
careful when you switch to 
the new email system. You 
might be able to kick users 
out of Outlook long enough 
to move the mailboxes, but 
you have no control of the 
email that will continue to 
flow to your email gateway. No matter what 
you do, external messages keep coming. I've 
seen two methods that work for swapping to 
the new system. 

Queue method. The queue method 
works best for companies with few users 
and small Information Stores. Follow these 
steps to implement this method: 

1. Disable email forwarding and let the 
email queue up on the gateway. 

2. Copy the mailboxes from the old 
Exchange server to the new organization. 

3. Enable email forwarding and let 
email flow to the new email server. 

Prep Method. The prep method is best 
for companies with large Information Stores 
or with mail gateways that can't hold much 
email in queue. Here are the steps for this 
method: 

1. Copy the mailboxes from the old 
Exchange server to the new organization. 
Use a date range and copy email messages 
only from today. This step creates a mail¬ 
box in the destination email server and 
configures the user account for email. 

2. Point the email gateway to the new 
server. Internet email now flows to the new 
server. 

3. Run a second email migration, but 
this time don't specify a date range. This 
step brings the remaining messages over to 
the new server, skipping the duplicates. 

Public Folders 

As I mentioned in Part 1, you can use 
the Inter-Organization Replication tool 
(technet.microsoft.com/en-us/library/ 
ee307369.aspx) to migrate public folders 


from one Exchange organization to another. 
Another option is to simply export each 
public folder to a PST, then import them into 
the new organization. Whichever method 
you choose, be sure to allow plenty of time 
because these migrations can be very slow. 
Identify which public folders you want to 
migrate early in the project, and don't put it 
off until the last minute. 

Although messages in mailboxes copy 
over with little difficulty, the configuration of 
the SMTP addresses can be a bit more prob¬ 
lematic. For example, if you have a shared 
calendar with a user called ITCalendar and 
a public folder called ITCalendar, one prob¬ 
ably had an SMTP address of ITCalendar 
.old.com and the other was ITCalendar2 
.old.com. When you migrate these objects, 
whichever one gets migrated first gets the 
address without the number 2. If you migrate 
the public folder first and the user second, the 
user and the public folder will both have the 
wrong SMTP address. When you try to cor¬ 
rect the address, Exchange informs you that 
the address you want is already in use. This 
situation will no doubt drive you nuts as you 
try to find where these addresses are used. 

To find the rogue address and who 
or what is using it, use Active Directory 
Users and Computers to perform a custom 
search as follows: proxyAddresses=smtp: 
ITCalendar.new.com. Figure 3 shows an 
example of this custom search. 

Point Outlook to the New 
Exchange Server 

When you move Exchange mailboxes within 
an Exchange organization, Outlook and 
Exchange communicate in the background 


and the users' Outlook pro¬ 
files are updated automatically. 
However, when you move mail¬ 
boxes to a different Exchange 
organization, Outlook has no 
way of knowing where the mail¬ 
boxes were moved to. This is 
where the Microsoft Exchange 
Server Exchange Profile Redi¬ 
rector (ExProfRe.exe) comes in. 
This free, handy utility helps fix 
your users' Outlook profiles via 
a logon script. 

To use ExProfRe, create a 
Group Policy Object (GPO) with 
a logon script. Copy ExProfRe 
.exe to the GPO, and create a simple CMD 
script with the following command: 

exprofre.exe /targetgc=NEWDCl 

/v /n /logfile=c:\UpdateProfile.log 

Although the code breaks here for space, you 
would enter it all on one line. You can down¬ 
load ExProfRe from the Microsoft Download 
Center at www.microsoft.com/downloads/ 
details.aspx?FamilyId=56F45AC3-448F- 
4CCC-9BD5-B6B52C13B29C. In my experi¬ 
ence, ExProfRe is very fast and can change a 
user's Outlook profile before the user starts 
Outlook—even if Outlook is in the Start 
Menu's Startup folder. 

A Successful Ending 
Begins with Planning 

A project of this size takes a lot of plan¬ 
ning and practice in a lab environment. 
Document every hiccup that you come 
across, and write clear, how-to procedure 
documents that anyone in your IT depart¬ 
ment could follow. Many of the step-by-step 
guides in this article are from my own docu¬ 
mentation, so I know they work. Set up a lab 
for yourself and write down everything that 
you learn. You'll find that a successful migra¬ 
tion begins with excellent planning. ^ 
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Server 2008 R2 

Live Migration and Cluster Shared 
Volumes add high availability 

by John Savill 

T o manage a virtual environment well, you need to be able to move 
virtual machines (VMs) between virtual servers with no downtime 
and provide high availability for services that don't natively support 
high availability. Additionally, you need ways to make virtual envi¬ 
ronments highly available. For that, you need Failover Clustering. 
Windows Server 2008 introduced a failover clustering VM service 
type, which allows Hyper-V VM configuration and lets virtual disk resources be 
part of a resource group that can be moved between the nodes in the failover 
cluster. However, Server 2008's Failover Clustering had several challenges, 
which I explain in depth in the web version of this article at www.windowsitpro 
.com, InstantDoc ID 102485. 

Happily, in Windows Server 2008 R2, both Hyper-V and Failover Clustering 
have undergone changes that help to support improved high availability in a 
virtual environment. The goal with Server 2008 R2 is to provide a zero-downtime 
planned failover. Server 2008 R2 ; s changes address the two challenges with 
Server 2008 and planned failover: 

1. The need to pause the VM to copy its memory to the target node. 

2. The need to move LUN ownership from one node to another, which 
requires a time-consuming dismount and mount operation of the physical 
disk resource. 

Let's take a look at the changes in Server 2008 R2. They can help you get to a 
zero-downtime planned failover. 
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Live Migration and Challenge #1: 
Pausing theVM 

To address the first challenge of having to 
suspend the VM to copy the memory, the 
Hyper-V team came up with Live Migration, 
which copies the VM's memory to the target 
node while it's still running. This sounds 
very easy, but it's a little more complicated. 

We can't just copy the memory of a VM 
to another node, because as we are copying 
the memory, the VM is still running and 
parts of the memory are changing. Although 
we are copying from memory to memory 
over very fast networks, it still takes a finite 
amount of time. We can't just pause the VM 
while we copy the memory, as that would be 
an outage. The solution is to take an iterative 
approach. 

The first stage in Live Migration is to 
copy the VM's configuration and device 
information from the existing node to the 
target node. This creates a shell VM on the 
target node that acts as a container and 
receives the VM memory and state. 

The next stage is the transfer of the VM 
memory, which is the bulk of the informa¬ 
tion and which takes up the bulk of the time 
during a Live Migration. Remember that the 
VM is still running, so we need a way to track 
pages of memory that change while we are 
copying. To this end, the worker process on 
the current node creates a "dirty bitmap" of 
memory pages used by the VM and registers 


for modify-notifications on the pages of 
memory used by the VM. 

When a memory page is modified, the 
bitmap of memory is updated to show a 
page has been modified. After the first pass 
of the memory copy is complete, all the 
pages of memory that have been marked 
"dirty" in the memory map are re-copied 
to the target. This time only the changed 
pages are copied, which means fewer pages 
to copy, and the operation should be much 
faster. However, once again while we are 
copying these pages, other memory pages 
change, and this memory copy process 
repeats itself. 

In an ideal world, with each iteration of 
memory copy the amount of data to copy 
will shrink as the time to copy decreases, 
and we eventually reach a point where all 
the memory has been copied and we can 
perform a switch. However, this might not 
always be the case, which is why there's a 
limit to the number of memory copy passes 
that are performed; otherwise the memory 
copy might just repeat forever. 

After the memory pages have all been 
copied or we have reached the maximum 
number of copy passes (eight at publication 
time, but this could change), it's time to 
switch the VM to execute on the target node. 
To make this switch we suspend the VM on 
the source node, transfer any final memory 
pages that couldn't be copied as part of the 


memory transfer phase, then transfer the 
state of the VM to the target, which includes 
items such as device and processor state. 

We then resume the VM on the target 
node. An unsolicited ARP reply is sent noti¬ 
fying that the IP address used by the VM 
has moved to a new location, which enables 
routing devices to update their tables. It's at 
this moment that clients now connect to the 
target node. 

You might be wondering which of these 
actions is done automatically and which 
requires admin actions. The answer is that all 
of this is automatic: The only action an admin 
performs is to initiate a live migration. 

Yes, there's a slight suspension of the VM, 
which is required to copy the state informa¬ 
tion, but this moment is milliseconds and 
below the TCP connection timeout thresh¬ 
old. Clients won't disconnect during the live 
migration process, and users are unlikely to 
notice anything. 

After the migration to the new target is 
complete, the previous host is notified that it 
can clean up the VM environment. Figure 1 
shows the entire process: A VM container is 
created on the target, the memory is copied 
in several phases, then the VM state is trans¬ 
ferred, which then allows the VM to start on 
the target. 

So Live Migration allows the migration 
of the configuration, memory, and state of a 
VM, with essentially no downtime. Great— 


2. Content of memory 
copied from active node 




1. New Virtual Machine 
provisioned on target node 
but not active 


4. For final copy active is paused 
so no dirty pages during final 
copy if required. 

Partition State copied. 





Figure 1: Live Migration process 
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Figure 2: Enabling Cluster Shared Volumes 


but that's only one of the two challenges 
solved. What about the movement of the 
LUN containing the VM configuration files 
and VHDs? We need to remove the require¬ 
ment to move the LUN between nodes in 
the cluster. 

Cluster Shared Volumes and 
Challenge #2: Moving the LUN 

The dismount and mount operations involved 
in moving the LUN require downtime, which 
may break the TCP connection timeout win¬ 
dow, resulting in client disconnections. The 
basic problem is that NTFS is a shared-noth¬ 
ing file system and doesn't support multiple 
OS instances connecting concurrently to it, 
which is the limitation. (The actual SAN hold¬ 
ing the LUNs supports multiple concurrent 
connections with no problem.) 

To make NTFS-formatted LUNs avail¬ 
able to multiple nodes in a cluster, concur¬ 
rently enabling all the nodes to read and 
write at the same time, Microsoft came up 
with Cluster Shared Volumes (CSVs), which 
Figure 2 shows. 

How CSVs Work 

Each CSV has one node assigned to act as 
the coordinator node, which has the disk 


online locally and has complete access to 
the disk as a locally mounted device. The 
other nodes receive a raw sector map of the 
files of interest to them on each LUN that's 
part of the CSV. This sector map enables the 
non-coordinator nodes to perform read and 
write operations directly to the disk without 
actually mounting the NTFS volume, a pro¬ 
cess called direct I/O. 

The mechanism that allows direct I/O is 
a CSV filter that's injected into the file system 
stack in all nodes in the cluster that receive 
the sector map from the coordinator node of 
each CSV disk. The CSV filter lets the non¬ 
coordinator nodes directly perform I/O to 
the disk, which is the most common activity 
when dealing with VHDs. 

However, non-coordinator nodes can't 
make namespace or metadata changes 
such as creating, deleting, and resizing files. 
These operations require management of 
the NTFS structure, which the coordinator 
node carefully controls to avoid corrup¬ 
tion. Should a non-coordinator node need 
to perform such an action, it forwards the 
action over the network to the coordinator 
node, which then makes the namespace 
changes on the non-coordinator node's 
behalf. 


The CSV filter actually gives us another 
great feature. In the event a non-coordina¬ 
tor node loses direct access to the LUN— 
for example, its iSCSI network connection 
fails—all of its I/O can be performed over 
the network via the coordinator node. 

This action is known as redirected I/O. 
Figure 3, page 60, shows a scenario in which 
a node has lost access to the storage directly 
and the CSV filter redirects all I/O via the 
NetFT network. It's a virtual network that 
binds to one of the physical cluster networks 
that has been enabled for cluster use; it's 
the equivalent of the old private network 
in Windows Server 2003 that was used for 
internal cluster communications such as 
heartbeat. 

The network that NetFT binds to is 
based on an automatic metric, which is 
given to each cluster network; the network 
with the lowest metric is used by NetFT. In 
the beta builds of Windows 2008 R2, the 
default order for Live Migration is based on 
the same metrics used by NetFT, so what¬ 
ever network NetFT binds to would be the 
top network used by Live Migration. This 
changed in the Release Candidate and the 
final code, as Microsoft decided it didn't 
want the NetFT traffic and Live Migration 
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Figure 3: CSV redirect 


traffic on the same network due to network 
traffic conflict. So, by default, the Live Migra¬ 
tion traffic is enabled on the network with 
the second lowest metric. 

You should make sure you check the 
networks you are using for Live Migration 
in your environment as it's quite possible 
Live Migration might choose a network you 
didn't want to use for cluster traffic, such 
as the iSCSI network. You can change the 
Live Migration network order and available 
networks for Live Migration traffic at your 
discretion. (See Figure 4.) 

The actual coordinator node can be 
changed with minimal impact. There's a 
slight pause in I/O if you move the coordina¬ 
tor to another node, as the I/O is queued at 


each node. However, the pause is unlikely 
to be noticed, which is crucial given how 
important the coordinator node is to CSV. 

Having multiple nodes directly writ¬ 
ing to blocks on the disk can cause some 
complications, mainly because most 
utilities don't expect it. When you want 
to perform a backup or other disk action 
such as a defragmentation or chkdsk, 
you need to put the disk in mainte¬ 
nance mode, which disables direct I/O 
from the other nodes in the cluster and 
makes them use redirected I/O. This 
ensures only the coordinator node is 
accessing the disk, which stops interfer¬ 
ence with backups and disk operations. 
The good news is that in the final Server 


2008 R2 release, the Failover 
Cluster Management console 
exposes the defrag and chkdsk 
actions and performs all the 
other preparation tasks for 
you. 

CSV Implications 

Currently CSV supports only 
Hyper-V. In the future, other sce¬ 
narios for CSV might be added. 

By using CSV, we're no longer 
required to move LUNs between 
nodes in the cluster during the 
migration of a VM because the 
LUN is available to all nodes 
all the time, solving the mount/ 
dismount problem. 

However, CSV is more than 
part of a zero-downtime VM migration 
story. Previously we had to maintain mul¬ 
tiple LUNs to be able to make the informa¬ 
tion on them available to different nodes 
in the cluster. For example, at a minimum, 
a four-node cluster required four LUNs to 
be able to move VMs independently of one 
another. Now, with CSV, the LUNs that are 
part of cluster storage are available to all 
nodes, so you don't need separate LUNs. 
This lets you share your free space among 
all VMs on a LUN and makes the configura¬ 
tion validation wizard faster, since it has to 
test fewer LUNs. 

A Great High Availability Story 

After trying for a long time to break Hyper- 
V, I can honestly say it works well. And 
Live Migration and Cluster Shared Volumes 
together offer a great high availability story 
with Hyper-V. For those of us using the 
standalone Hyper-V Server, the great news 
is that Hyper-V Server 2008 R2 is built on the 
Enterprise Edition of Server 2008 R2 Server 
Core, which means the free virtualization 
platform has clustering support—we get 
Live Migration and CSV for nothing! ^ 
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Figure 4: Live Migration traffic sent over the Cluster Internal network 
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W hen you want your servers to perform at their best, Windows Server's built-in 
performance monitoring and analysis tools offer insight into potential areas for 
improvement by letting you monitor current performance information and log 
this information over time. However, you must understand the core hardware 
performance factors of any server (i.e., Windows servers, Linux servers) to use the 
tools effectively. 

The four key server hardware components that can be altered to improve performance are the CPU, 
memory, hard disks, and network interface card (NIC). Three of these components are internal (i.e., 
CPU, memory, hard disks) and the fourth component is the gateway to the network. Internal server 
performance determines whether the full NIC capabilities can be utilized, and NIC performance 
determines whether a well-performing internal system matters. As you can see, all four components 
are important and depend on one another. 

In this article, I'll cover these four areas of system performance and explain how to monitor them 
in Windows Server environments. First, I'll explore how systems thinking helps you understand how 
these components affect one another. Then I'll discuss the performance counters available in Windows 
as they relate to the four hardware components. I'll also provide some recommendations for improving 
the performance of your system based on the results of performance monitoring. 

Systems Thinking and Creating a Baseline 

As you monitor and analyze Windows Server performance, it's essential to employ systems thinking, 
which requires you to consider the relationships among the hardware components. For example, if CPU 
utilization is high, the CPU isn't automatically seen as the problem. Instead, memory and hard disk uti¬ 
lization should be considered. Is the system using an excessive amount of virtual memory? If that's the 
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Figure 1: Option to monitor all CPUs or specific CPUs 
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Figure 2: Selecting memory counters in the Memory object 


case, CPU utilization might be a symptom of 
a memory problem rather than evidence of 
an insufficient CPU speed. 

I've performed analysis on hundreds of 
Windows servers and with all of this experi¬ 
ence I've learned one important general 
guideline: faster CPUs don't always solve per¬ 
formance problems. It's tempting to throw 
more speed at the problem, but remember 
the old saying: If a man is lost in a city and he 
drives faster, he just gets lost faster. You could 
rephrase this saying for server performance 
tuning and say that a faster processor just 


loops faster while it's 
waiting for the true 
bottieneck to finish 
working. 

When analyzing 
the performance of 
a Windows server, 
you should ana¬ 
lyze all four core 
components at the 
same time. Systems 
thinking indicates 
that you're consider¬ 
ing the system as a 
whole and not just 
evaluating a single 
component. Using 
the systems thinking 
process will enable 
you to locate the true 
performance botde- 
neck more quickly. 

Before I begin 
exploring the perfor¬ 
mance counters, let 
me explain the need 
for a baseline. A per¬ 
formance baseline 
provides a represen¬ 
tation of the system's 
performance during 
acceptable opera¬ 
tions. You can cre¬ 
ate a performance 
baseline by monitor¬ 
ing and logging per¬ 
formance counters 
during a period of 
normal operations. I 
prefer to monitor for 
an entire work win¬ 
dow; for example, 
if the organization 
functions between 9 a.m. and 5 p.m., I'll 
monitor during that entire time. Once you've 
created the performance log, you can open 
it in the Performance tool and narrow the 
viewing window to peak utilization times. 
If the server performed acceptably during 
peak utilization, you know that the server is 
well configured for your intended use. 

As time goes by, the server is more heav¬ 
ily utilized in most implementations. Users 
become more familiar with the system and 
more productive, meaning they do things 
faster and place more demands on the server. 
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Additionally, more users are often added to 
the system. All of these factors can result in 
a poor-performing system. You can create a 
new performance log and compare it with 
the original baseline to locate problem areas. 
As the counters are discussed in the follow¬ 
ing sections, remember to consider their 
use in and against a baseline rather than as 
simple point-in-time measurements. 

CPU Counters 

The Reliability and Performance Monitor in 
Windows Server 2008 and the Performance 
tool (sometimes called System Monitor, 
but displayed simply as Performance) in 
Windows Server 2003 R2 and earlier pro¬ 
vide several important counters related to 
the four core components. The key CPU 
counters are listed under the Processor and 
Process objects. My favorite Processor coun¬ 
ters are the % Processor Time counter, the 
% User Time counter, and the % Privileged 
Time counter. These three counters are 
available in the Processor object and can be 
monitored for all CPUs or specific CPUs, as 
shown in Figure 1. They're also available in 
the Process object and can be monitored for 
all processes or individual processes. 

If you notice that the % Processor Time 
counter is high in the Processor object, you 
might want to monitor it in the Process 
object for each individual process. Doing so 
will give you insight into which processes 
are monopolizing the processor's time. You 
might choose to offload some of the pro¬ 
cesses to a different server or you might even 
be able to stop running some processes. 
It's amazing how many unused processes 
often run on Windows servers and even 
these unused processes can impact per¬ 
formance as the Windows kernel must 
still manage them. Examples of unused 
processes include startup applications that 
aren't used, services that are unneeded, and 
optional application components that run 
as separate processes. 

The % Processor Time counter is inclu¬ 
sive of both user mode and kernel mode OS 
functions. It's technically a measurement 
of the time in which the System Idle Pro¬ 
cess isn't running. The System Idle Process 
runs only when no other process is seeking 
processor time. I usually look for average % 
Processor Time values greater than 65-70 
percent before I’m concerned about the 
processor. 
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Figure 3: The Performance tool after loading counters 


The % User Time 
and % Privileged Time 
counters let you moni¬ 
tor user mode and 
kernel mode activities 
independently. These 
counters can help you 
to determine whether a 
bottieneck is occurring 
within an application 
or within the OS. How¬ 
ever, it's important to 
remember the architec¬ 
ture of the Windows OS. 

Most actions are per¬ 
formed in kernel mode, 
so it's not uncommon to 
see 70 percent or more 
of the activity occurring 
within kernel or privi¬ 
leged mode. 

Memory Counters 

The most valuable 
memory counters for 
general server analy¬ 
sis are located in the 
Memory object, which is shown in Figure 
2. The memory counters that I find most 
useful are the Available Kbytes counter and 
the Pages/sec counter. The Available KBytes 
counter measures values that sit between 
Available Bytes and Available Mbytes. The 
level of detail provided by tracking kilobytes 
is better than the limited detail of megabytes 
and the overwhelming detail of bytes. 

The Pages/sec counter is used to track 
the number of virtual memory pages read 
or written per second. On most systems, 
a 4KB memory page is used, so you can 
multiply the Pages/sec value times 4 to cal¬ 
culate the kilobytes passing to or from the 
virtual memory file each second, which will 
give you a better understanding of just how 
much data is moved from RAM to the disk 
each second. 

Hard Disk Counters 

The hard disk counters are divided into two 
objects: LogicalDisk and PhysicalDisk. The 
counters are very similar and the differ¬ 
ence is in the way the disks are referenced. 
LogicalDisk references the disk by the drive 
letter and PhysicalDisk references the disk 
by the drive number (e.g., drive 0). Both 
objects show the same information for a 


selected counter. However, if you want to 
monitor disk activity for all partitions on 
a disk, you'll need to use the PhysicalDisk 
object. The key counters to watch are Aver¬ 
age Disk Queue Length, Diskbytes/sec, and 
Free Megabytes. 

The Average Disk Queue Length counter 
can reveal whether the drive is keeping up 
with the demand of running processes. The 
most frequently cited threshold is two items 
in the queue. If the average is greater than 2, 
a drive bottleneck might be occurring. This 
counter should also be compared to the 
baseline. If the baseline shows an average 
of 2.3 items in the disk queue and perfor¬ 
mance was perceived as acceptable, there's 
no reason to suggest that performance is 
unacceptable—at a later time—if the aver¬ 
age is the same or lower. Remember, per¬ 
formance is measurable with statistics, but 
whether performance is "good" or "bad" is 
a relative issue. 

The Disk bytes/sec counter can reveal 
whether the drive is living up to expectations. 
Many drives are rated at a certain speed, but 
they perform at lower speeds. This counter 
can reveal such behavior. In many cases, 
updating drive controller drivers might 
resolve such performance problems. 


Free Megabytes isn't really a perfor¬ 
mance counter, but it's very useful in pre¬ 
dicting future needs. For example, if you 
measure the free megabytes for each vol¬ 
ume once per month, you can determine 
consumption rates. With consumption rates 
documented, you can predict when you'll 
need to archive old data or upgrade to larger 
hard disk drives. 

Network Interface Counters 

The final counters are the network coun¬ 
ters. These counters are found in the Net¬ 
work Interface object. The two key network 
counters are Bytes Total/sec and Output 
Queue Length. The Bytes Total/sec coun¬ 
ter should be compared to the baseline. If 
this amount has increased dramatically, 
it could mean the server is more heavily 
utilized than it was when the baseline was 
captured; however, it could also be a sign 
of a network attack or the need to offload 
some processes. The Output Queue Length 
counter might help you decide. If this coun¬ 
ter is averaging more than 2, it indicates 
that the network card (or the data rate of 
the infrastructure) isn't able to handle the 
capabilities provided by the server. Stated 
differently, the server is throwing data at 
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Figure 4: Results of the log files created in the Performance tool 


the NIC faster than the NIC can 
transmit it out on the wire. 

Capturing Counters 

Now that I've discussed the 10 
most important counters that 
help you track the core perfor¬ 
mance factors in your server, 
let's look at the process used to 
capture these counters. Use the 
following instructions to load 
these counters into the Perfor¬ 
mance tool in Windows 2003 R2 
or Windows 2003: 

1. Launch the Perfor¬ 
mance tool by clicking Start, 

All Programs, Administrative 
Tools, Performance. You'll see 
that the Pages/sec, Avg. Disk 
Queue Length, and % Proces¬ 
sor Time counters are already 
loaded. 

2. Click the button with the 
plus sign icon (or press Ctrl+I) 
to add more counters. 

3. The Processor object is 
selected by default. With this 
object selected, click the % Privileged Time 
counter in the Select counters from list sec¬ 
tion and then click Add. 

4. Next, select the % User Time counter, 
and click Add. 

5. Select the LogicalDisk object and 
add the Disk bytes/sec and Free Mega¬ 
bytes counters by performing steps 3 and 4 
again. 

6. Select the Memory object and add 
Available KBytes. 

7. Finally, select the Network Interface 
object and add the Bytes Total/sec and 
Output Queue Length counters. 

After selecting the counters and clicking 
OK, you should see graphs similar to Fig¬ 
ure 3, page 67. By default the counters are 
monitored automatically and will continue 
to be monitored until you stop the process. 
You might have more or less activity on 
your server depending on current opera¬ 
tions. Loading the performance counters 
into the Performance tool lets you monitor 
live activity. Monitoring live activity is just 
one way to use this powerful performance 
tool. In addition, you must create a perfor¬ 
mance log if you want to create a baseline. 
Use the following instructions to create a 


log that will capture performance data for 
any length of time: 

1. Launch the Performance tool as pre¬ 
viously described. 

2. Expand the Performance Logs and 
Alerts node in the left pane. 

3. Right-click Counter Logs and select 
New Log Settings. 

4. Enter a name for the log, such as 
Baseline 1. 

5. Click the Add Counters button on 
the General tab and add the counters you 
want to log. 

6. Select the Log Files tab, then select 
the log file format you prefer. (I prefer the 
comma delimited text file so that I can ana¬ 
lyze the data easily in Microsoft Excel.) 

7. On the Schedule tab, schedule a start 
and stop time for the log or set it to start 
manually. Note that you can run a com¬ 
mand after the log is created. 

8. Click OK. 

9. If you're prompted to create the log 
directory, click Yes. 

You now have a performance log con¬ 
figuration. If you created the log configura¬ 
tion with the 10 counters covered in this 
article, you have an excellent configuration 
for creating baselines. Use this log to capture 


a baseline of your server's performance 
when it's performing well. Then, when users 
inform you that it's not performing well, you 
can run the log again and compare the two 
log files. Figure 4 shows two graphs gener¬ 
ated in Excel 2007 from comma-separated 
value (CSV) log files created in the Perfor¬ 
mance tool. 

Measuring Hardware Performance 

The Performance tool provides counters that 
can be used to measure the performance of 
hardware against recommendations or base¬ 
lines. Capturing the right counters is the key 
to success with this tool. It's also important 
to know that new counters are added every 
time you install a major Microsoft applica¬ 
tion (e.g., Microsoft SQL Server, Microsoft 
Exchange Server, Microsoft IIS). ^ 
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Take a close look at the new log replication architecture 
that provides built-in resilience to your organization 


B ecause email is a mission-critical application, Microsoft has invested a lot of engineering talent as well 
as money over the years to provide Microsoft Exchange Server with the ability to resist different types 
of failure and deliver a highly available service. Exchange Server 2007 was a watershed for high avail¬ 
ability in many ways because of the introduction of log replication technology in local continuous 
replication (LCR), cluster continuous replication (CCR), and standby continuous replication (SCR). 
Now Exchange Server 2010 takes a new approach to high availability by introducing the Database 
Availability Group (DAG), which is based on many of these same log replication techniques. 

However, working with DAGs introduces new concepts, design challenges, and operational concerns that admin¬ 
istrators have to understand before bringing a DAG into production. This article covers the underlying concept and 
explains Microsoft's motivation for the introduction of DAGs in Exchange 2010. A future article from Paul Robichaux 
will discuss how to build your first DAG. 

High Availability Goals for Exchange 2010 

Microsoft's first goal with the Exchange 2010 availability story was to improve on the Exchange 2007 high-availability 
features. The Exchange 2007 implementation is a little immature and overly complex. Having three different types 
of log replication is confusing, and the lack of automatic failovers and the lack of a GUI to control end-to-end opera¬ 
tions from creation to failover are the hallmarks of a VI.0 implementation. 

These limitations aside, the basic technology involved all works: copying transaction logs from a source to a 
target server, validating their content, then replaying that content to update passive copies of databases. Microsoft's 
decision to focus on continuous log replication as the basis for high availability in Exchange 2010 is understandable, 
and the developers have delivered a more manageable and complete solution. Exchange 2010 doesn't support LCR, 
CCR, and SCR, but as we'll see, the DAG is more than an adequate replacement. 

Microsoft's second development goal was to include sufficient functionality in Exchange 2010 to let customers 
build highly available infrastructures without having to invest in expensive third-party add-on products. Although 
there's no doubt that third-party technology boasts its own set of useful availability features, especially when coupled 
with high-end storage systems, Microsoft has a large and diverse Exchange customer base, not all of which can 
afford to invest in the financial and administrative cost of deploying add-on technology. Having a solid set of 
high-availability features built in to the product and administered through the standard management interfaces— 
Exchange Management Console (EMC) and Exchange Management Shell (EMS)—increases the attractive- 
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ness of Exchange as a platform, removes 
complexity, and avoids cost for customers 
in the small-to-midsized business (SMB) 
segment as well as for a large number of 
enterprise customers. 

Finally, Microsoft wanted to let custom¬ 
ers deploy highly available servers in an 
incremental nature. In previous versions 
of Exchange, you have to do a consider¬ 
able amount of preparation to deploy a 
highly available solution. For example, if you 
want to deploy clustered Exchange servers, 
you have to ensure that suitable hardware 
is available, then install a Windows clus¬ 
ter, then install Exchange with the correct 
switches to create virtual Exchange servers 
running on the cluster and connected to 
cluster resources such as shared storage. 
This process isn't something that you do 
without planning. 

The concept of incremental deploy¬ 
ment as implemented in Exchange 2010 
is that you can deploy typical Exchange 
Mailbox servers first, then decide to include 
those servers in a DAG as the need arises 
to incorporate more high availability into 
the environment. You can also gradually 
expand the DAG to include more servers 
or more database copies to add resilience 


against different failure scenarios as time, 
money, and hardware allows. 

Microsoft introduced storage groups 
as the basis for database management in 
Exchange 2000. Databases fitted inside stor¬ 
age groups, which belonged to servers. All 
the databases in a storage group shared a 
common set of transaction logs, and trans¬ 
actions from all the databases in the storage 
group were intermixed in the logs. Storage 
groups were sometimes convenient, but 
eventually Microsoft determined that they 
introduced an extra layer of complication for 
administrators, and the process to remove 
storage groups from the product began in 
Exchange 2007. It therefore comes as no 
surprise that storage groups disappear in 
Exchange 2010. 

Defining a DAG 

Fundamentally, a DAG is a collection of 
databases and database copies that are 
shared across as many as sixteen servers. 
The DAG differentiates between a primary 
database—the one that you originally cre¬ 
ate and users currently connect to—and 
the copies that you subsequently create 
on other servers. The DAG can swap the 
database copies into place to become the 


primary database following a failure of the 
primary database. The failure might be a 
complete server failure that renders all of 
the databases on the server inaccessible or a 
storage failure that affects just one database. 
In either case, the DAG is capable of detect¬ 
ing the failure and taking the necessary 
action to bring appropriate database copies 
online to restore service to users. 

Servers within a DAG can support other 
roles, but each server must have the Mailbox 
role installed because it has to be able to 
host a mailbox database. Servers can also 
be on different subnets and span differ¬ 
ent Active Directory (AD) sites as long as 
sufficient bandwidth is available. Microsoft 
recommends that all servers in a DAG share a 
network with a round-trip latency of 250 mil¬ 
liseconds or less. An Exchange 2010 server 
running the Enterprise edition can support 
as many as 50 active databases but the Stan¬ 
dard edition is limited to 5 databases. When 
you include passive database copies that a 
server hosts for other servers, this number is 
increased to as many as 100 total databases 
on the Enterprise edition. 

The introduction of the DAG smashes 
the link between a database and the own¬ 
ing server to make portable databases the 
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Figurel: A sample DAG architecture 
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basic building block for high availability in 
Exchange 2010. This development is prob¬ 
ably the most fundamental architectural 
change Microsoft has made in Exchange 
2010 . 

Windows Clustering 

Underneath the hood, the DAG uses Win¬ 
dows failover cluster technology to manage 
server membership within the DAG, to 
monitor server heartbeats to know what 
servers in the DAG are healthy, and to main¬ 
tain a quorum. The big differences here from 
clustering as implemented in other versions 
of Exchange are that there's no concept of 
an Exchange virtual machine or a clustered 
mailbox server, nor are there any cluster 
resources allocated to Exchange apart from 
an IP address and network name. Another 
important management difference is that 
you never need to manage cluster nodes, the 
network, or storage resources using the Win¬ 
dows cluster management tools because 
everything is managed through Exchange. 

The dependency on Windows clustering 
means that you can add Mailbox servers to 
a DAG only if they're running on Exchange 
2010 Enterprise Edition on Windows 2008 


(SP2 or R2) Enterprise Edition. It also means 
that all of the DAG member servers must be 
part of the same domain. You should also 
run the same version of the OS on all the 
DAG member servers; you definitely can't 
mix Windows 2008 SP2 and Windows 2008 
R2 within the same DAG and it makes good 
sense to keep all the servers in the organiza¬ 
tion at the same software level. 

Transaction Log Replication 

Within the DAG, Exchange maintains the 
copies of the databases through a process 
of log replication. Transaction logs gener¬ 
ated on the active server are copied by 
the Microsoft Exchange Replication service 
(MSExchangeRepl) running on each of the 
servers that maintain passive mailbox data¬ 
base copies, where the logs are validated and 
then replayed to update the passive copies. 
The DAG is the boundary of data replication 
for transaction logs. In other words, you 
can't replicate logs to a server in a different 
DAG and have Exchange replay the logs into 
a database replica there. It then follows that 
before you can create a copy of a database, it 
must reside in a DAG, and the target server 
must be part of the same DAG. 

Figure 1 shows an example of a DAG 
containing three servers, each hosting two 
databases. Each of the databases is repli¬ 
cated to one other server to provide a basic 
level of robustness to a server outage. If 
server 1 fails, thus halting service to data¬ 
bases 1 and 2, the Active Manager process, 
which I'll discuss shortly, reroutes user con¬ 
nections to pick up the copies of the data¬ 
bases on servers 2 and 3. Users connected 
to database 1 are redirected to server 2 and 
users connected to database 2 go to server 3. 
Similarly, if the disk holding database 2 on 
server 1 fails, Active Manager detects the 
problem and reroutes traffic to server 3. 

In Figure 1, each database has just one 
copy. You might decide that the probability 
that more than one server will ever fail at the 
same time is negligible, so it's sufficient to 
rely on the single additional copy. However, 
if the DAG extended across more than one 
data center, you would probably configure 
every database to replicate to all servers. In 
this scenario, copies of databases 1 and 2 
would be present on server 3 so that if serv¬ 
ers 1 and 2 were both unavailable, users 
could still get to their data by using the cop¬ 
ies hosted on server 3. 


The number of copies you can create for 
an individual database is limited only by the 
number of available servers in the DAG, disk 
space, and available bandwidth. The high 
capacity bandwidth available within a data 
center means that disk space is likely to be 
the biggest problem. This issue is somewhat 
negated by the ability to deploy databases 
on low-cost drives, providing there is suf¬ 
ficient rack space, power, and cooling within 
the data center to support the disks. 

As an example, you could have an envi¬ 
ronment with 15 servers in a DAG. There 
are 110 active databases, each with 2 passive 
copies, for a total of 330 databases in the 
environment. The databases and copies are 
distributed evenly across all servers so that 
each server supports 22 databases. Some of 
these databases are active and supporting 
users; others are copies replaying transac¬ 
tions from primary databases. Each server 
has 18TB of storage. Having three copies 
of each database is a reasonable approach 
to ensuring high resilience against a wide 
range of failures, but don't forget to plan 
your design so that a failure that affects a 
rack can't prevent service to a database. In 
other words, you shouldn't deploy a rack 
that contains all the servers that host an 
active database and all of its passive copies. 

Active Manager 

Active Manager is a new component that 
runs as part of the replication service pro¬ 
cess on every server within a DAG. Active 
Manager is the orchestrator for Exchange 
2010 high availability; it decides which 
database copies are active and which are 
passive—this happens automatically and 
doesn't require administrative input. How¬ 
ever, administrators can dictate the pre¬ 
ferred order of activation for database copies 
and dictate that some copies are never acti¬ 
vated. 

Active Manager runs on all servers 
within a DAG. One server in the DAG is 
the primary active manager (PAM), and 
all others are in a standby active manager 
(SAM) role. Whether in PAM or SAM mode, 
servers continually monitor databases at 
both the Information Store and Extensible 
Storage Engine (ESE) levels to be able to 
detect failures. When a failure is detected, 
a server asks the PAM to perform a failover. 
The server that hosts the PAM issues the 
request if it's still online, but if it's offline, 
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another server seizes the role to become the 
PAM and brings database copies online. 

The PAM owns the cluster quorum 
resource for the default cluster group that 
underpins the DAG. The PAM is respon¬ 
sible for processing topology changes that 
occur within the DAG and making deci¬ 
sions about how to react to server failures, 
such as deciding to perform an automatic 
transition of a passive copy of a database 
to become active because the server that 
currently hosts the active copy is unavail¬ 
able for one reason or another. When a 
new database copy has been successfully 
mounted, the PAM updates the RPC Client 
Access service with details of the server that 
hosts the newly activated copy so that client 
connections can be directed to the correct 
server. 

Automatic Database Transitions 

The replication service monitors database 
health to ensure that active databases are 
properly mounted and available and that ESE 
has signaled no I/O or corruption errors on a 
server. If an error is detected, the replication 
service notifies Active Manager, which begins 
the process of selecting the best possible 
available copy, then makes that copy active to 
take the place of the failed database. 

To make its choice, Active Manager cre¬ 
ates a sorted list of available copies. It ignores 
servers that are unreachable or those where 
activation is temporarily blocked. The list is 
sorted by how current databases are to avoid 
data loss. When the list is available, Active 
Manager applies a set of criteria to make the 
final determination, applying each set of cri¬ 
teria until a database is selected. Up to twelve 
different checks are performed to locate the 
best possible database copy. If more than one 
database meets the same criteria, the Activa¬ 
tion Preference value is used to break the tie 
and make the final selection. 

The Activation Preference is a numeric 
property of a database copy that admin¬ 
istrators use to control the order in which 
Exchange activates copies. For example, if a 
database fails and there are two copies, one 
with activation preference of 2 and the other 
with activation preference of 3, Exchange 
activates the copy with the lower activation 
preference, 2. This decision assumes that 
both copies are healthy (they've been repli¬ 
cating and replaying transaction logs to keep 
the database up-to-date); Exchange never 
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activates an unhealthy database if a healthy 
copy is available. 

An automatic failover can't occur if no 
database copy is considered satisfactory. 
If that happens, the administrator has to 
take action to either fix the problem with 
the original database or to bring one of the 
database copies to a state where it matches 
the required criteria. 

After Active Manager determines the 
best copy to activate, it instructs the replica¬ 
tion service on that server to attempt to copy 
any missing transaction logs from available 
sources. Assuming that all transaction logs 
can be retrieved, the Store on the selected 
server can mount the database with no 
data loss and then accept client connec¬ 
tions. If some logs are missing, the Store 
applies the AutoDatabaseMountDial setting 
to decide whether to mount the database. 
AutoDatabaseMountDial is a property of 
a Mailbox server that you can manipulate 
with the Set-MailboxServer cmdlet. The 
default value is BestAvailability, meaning 
that a database can mount if up to 12 trans¬ 
action logs are missing. 

An administrator can mount a database 
that can't be mounted automatically by 
Active Manager. For example, Exchange 
won't activate a database copy if its content 
index isn't up to date. You can force Exchange 
to activate the copy with the Move-Active- 
MailboxDatabase cmdlet. In this instance, 
you'd specify the -SkipClientExperience 
parameter to tell Exchange that it was OK 
to ignore the context index. The developers' 
choice of "SkipClientExperience" for the 
parameter reflects their view that having 
a content index available is important to 
deliver the full client experience. However, 
when a database is down, most administra¬ 
tors want to restore basic mailbox connec¬ 
tivity immediately and worry about slow or 
incomplete searches due to an out-of-date 
content index afterward. 

As soon as the RPC Client Access layer is 
aware of the transition, it begins to redirect 
clients to the newly activated database. Cli¬ 
ent response to a transition is dependent on 
the client platform and version. Microsoft 
Office Outlook clients working in Cached 
Exchange Mode issue a notification that 
they have lost connectivity and then recon¬ 
nect when the database is back online. Out¬ 
look 2010 is slightly different; it suppresses 
messages about lost connectivity for what 
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are regarded as trivial reasons such as a 
network glitch, so you see a notification only 
when connectivity is reestablished. 

Following a successful database mount, 
the Store requests the transport dumpster 
to recover any messages that were in tran¬ 
sit. Active Manager also notifies the RPC 
Client Access service that a different copy 
of the database is now active so that it can 
begin to reroute client connections to that 
database. 

When the fault is repaired on the original 
server and it comes back online, its copy 
of the database is passive and is obviously 
outdated compared with the other copies. 
The Store runs through a divergence detec¬ 
tion process, then performs an incremental 
reseed to bring the database up-to-date. 
The first step is to determine the diver¬ 
gence point, which is done by comparing 
the transaction logs on the server with the 
logs on a server that hosts a current copy. 
The Store works out which database pages 
have changed after the divergence point, 
then requests copies of the changed pages 
from an up-to-date copy. These pages are 
replayed back until the repaired copy is 
synchronized with the other copies. The 
goal is to have all of this work happen and 
restore service to users within 30 seconds. 
The repaired database remains as a pas¬ 
sive copy until the administrator decides to 
make it the primary copy again. 

Big Promise from DAGs 

There's no doubt that the introduction of 
the DAG in Exchange 2010 is big news. It's 
a fundamental change in the architecture 
of the Information Store and it lets admin¬ 
istrators who might not have considered 
implementing highly available Exchange 
organizations revisit the topic because high 
availability is now baked into Exchange. The 
question is how effective the promise proves 
to be in production. We'll know the answer 
only after we see various DAG designs at 
work, the operational issues they provoke, 
and how they survive the inevitable failures 
that occur during deployments. ^ 

InstantDoc ID 102925 


Tony Redmond 

(12knocksinna@gmail.com) is a 
contributing editor for Windows 
IT Pro, and author of Microsoft 
Exchange Server 2007 with SP1 
(Digital Press). 



www.windowsitpro.com 




W hen running scripts in Windows PowerShell, an important security 
consideration that you should take into account is how to prevent 
unauthorized scripts from running on your system. By default, you can't 
run scripts in PowerShell. However, scripts provide an effective tool in 
Windows administration, so if you're using PowerShell, chances are 
you'll want to run scripts. 

A PowerShell script is simply a text file with a .psl extension. The file contains one or 
more PowerShell statements that run when you call the script file at the console. PowerShell 
lets you control whether scripts can run, and if so, which scripts can run. To control script 
execution and to help protect your system, you need to 

1. Set PowerShell's execution policy. 

2. Create an X.509 certificate. 

3. Digitally sign your scripts. 


Three 

precautions 
is all it takes 

by Robert Sheldon 


If you take these precautions, only the scripts that you digitally sign will be permit¬ 
ted to run in PowerShell, thus helping to prevent malicious attacks on your system. Note 
that I assume you're already familiar with the PowerShell environment. If you're new to 
PowerShell, see the PowerShell 101 and PowerShell 201 series. For information about these 
series, go to "New to Scripting? Check Out These Series'' (www.windowsitpro.com, Instant- 
Doc ID 102942). 

Setting the Execution Policy 

The PowerShell execution policy controls whether you can run scripts and whether configu¬ 
ration files will be loaded when you start PowerShell. To set the execution policy, you must 
use the Set-ExecutionPolicy cmdlet to specify one of the following execution options: 
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Table 1: Makecert Options Used in the Examples 

Option 

| Description 

-n 

Name of the certificate authority or certificate 

-eku 

Enhanced key usage object identifier 

-r 

Self-signing certificate 

-sv 

Subject's private key file and certificate file 

-ss 

Certificate store 

-a 

Signature algorithm (can be MD5 or SHA1) 

-pe 

Permits the private key to be exported 

-iv 

Issuer's private key file (the file specified in the 
certificate authority) 

-ic 

Issuer's certificate file (the file specified in the 
certificate authority) 


Restricted: PowerShell configuration 
files won't be loaded and scripts won't 
run. This is the most restrictive option 
and is the default. As a result, when you 
first install PowerShell, no unintended 
scripts will run or configurations will 
load. However, you can still run indi¬ 
vidual commands in the PowerShell 
console. 

AllSigned: All scripts and configuration 
files must be digitally signed by a trusted 
publisher. To sign a script, you must use 
a code-signing certificate. 

As you'll see later, you can 
create the certificate 
yourself. 

RemoteSigned: All scripts 
and configuration files 
downloaded from the 
Internet must be digitally 
signed. However, scripts 
on your local computer 
can run and local configu¬ 
ration files can be loaded 
without being digitally 
signed. 

Unrestricted: All scripts 
will run and all configura¬ 
tion files will be loaded. 

This is the least restrictive 
option and subsequently 
the riskiest. 


Shell command prompt: 

Set-ExecutionPolicy 
AllSigned 

You can verify PowerShell's 
current execution policy 
(always a good idea after 
changing the policy) by 
running the Get-Execu- 
tionPolicy cmdlet (with¬ 
out any parameters). For 
more details about the Set- 
ExecutionPolicy and Get- 
ExecutionPolicy cmdlets, 
see the PowerShell Help 
files available for each cmdlet. For informa¬ 
tion about configuration (i.e., profile) files, 
see "Save Your PowerShell Code in Profile 
and Script Files'' (June 2009, InstantDoc ID 
101718) and the MSDN article "Windows 
PowerShell Profiles" (msdn.microsoft.com/ 
en-us/library/bb613488(VS.85). aspx). 

Creating an X.509 Certificate 

After you set the execution policy to All- 
Signed, you must sign your files, which 


Create Private Key Password 


Key: 


Password: 


Confirm Password: 


Subject Key 


OK 

1 

None 

i 

Cancel 


Figure 1 :The Create Private Key Password dialog box 


means you need a code-signing X.509 cer¬ 
tificate. X.509 is a cryptography standard 
that defines the format for such security- 
related devices as public key certificates 
and certificate revocations lists. You can 
either purchase an X.509 certificate issued 
by a public certificate authority or you 
can create your own certificate author¬ 
ity and certificate. A full discussion of 
the X.509 standard and public certifi¬ 
cate authorities is beyond the scope of 
this article. However, I'll explain how 
you can create your own local certificate 
authority and certificate. 

To create a certificate authority and 
certificate on the local computer, you can 
use the Malcecert utility that's included 
in the Microsoft .NET Framework SDK. 
(It's also available in Microsoft Visual 
Studio 2008 or Visual Studio 2005.) Note, 
however, that Makecert is meant for test¬ 
ing only. In a production environment, 
you should use a public key infrastructure 
(PIG) such as Microsoft Certificate Services 
to create certificate authorities and certifi¬ 
cates. 

As with any command-line utility, you 
can run Makecert at the 
PowerShell command 
prompt. For instance, 
when you create the cer¬ 
tificate authority (which 
you must do before you 
create the certificate), 
you specify the name 
of the utility (Makecert) 
followed by the neces¬ 
sary options. In the fol¬ 
lowing example, I create 
a certificate authority 
named PowerShell CA 
in the certificate store 
root: 


*J 


Enter Private Key Password 


*l 


As you can see, if you 
want to protect your system 
and still allow scripts to run 
and configuration files to 
load, you should set the exe¬ 
cution policy to AllSigned. To 
set the policy, run the follow¬ 
ing command at the Power- 


Key: Subject Key 

Password: ########| 


□ K 


Cancel 


Figure 2:The Enter Private Key Password dialog box 


makecert -n 
"CN=PowerShell CA" ' 
-eku 

1.3.6.1.5.5.7.3.3 -r ' 
-sv PowerShellCA.pvk 
PowerShellCA.cer ' 

-ss Root -a shal 

This command includes 
a number of options. 
Table 1 provides a brief 
description of them. 
You can find detailed 
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Security Warning 




You are about to install a certificate from a certification authority (CA] claiming to represent: 

PowerShell CA 

Windows cannot validate that the certificate is actually from "PowerShell CA". You should confirm its origin by 
contacting "PowerShell CA". The following number will assist you in this process: 

Thumbprint [shal): 1D29D665 5A46D59A ADB2FFS4 33BD8A59 7239E3GA 

Warning: 

If you install this root certificate, Windows will automatically trust any certificate issued by this CA. Installing a certificate 
with an unconfirmed thumbprint is a security risk. If you click 'Yes" you acknowledge this risk. 

Do you want to install this certificate? 


Yes 


No 


Figure 3: The Security Warning message box 

information about these and other options 
in MSDN's .NET Framework Development 
Center (msdn.microsoft.com/en-us/library/ 
bfsktky3(VS.80).aspx). Note that, to run the 
command in this example, I added the path 
where the Makecert utility is located to the 
Path system environmental variable. 

When you run this command, the Create 
Private Key Password dialog box appears 
(shown in Figure 1), prompting you to 
specify a password. After you enter your 
password twice and click OK, the Enter 
Private Key Password dialog box appears 
(shown in Figure 2), prompting you for the 
password you just entered in the Create 
Private Key Password dialog box. After you 
click OK, a Security Warning message box 
appears (similar to the one shown in Fig¬ 
ure 3), warning you that you are about to 
install the PowerShell CA certificate author¬ 
ity. After you click Yes, the Makecert utility 
creates the certificate authority in your local 
certificate store. 

After the certificate authority 
has been created, the next step 
is to use the Makecert utility to 
create the actual certificate that 
will be used to sign your scripts. 

The following command creates 
a certificate named PowerShell 
Certificate , which is authorized 
by the PowerShell CA certificate 
authority: 

makecert -n "CN=PowerShell 
Certificate" ' 

-eku 1.3.6.1.5.5.7.3.3 
-pe ' 

-iv PowerShellCA.pvk ' 

-ic PowerShellCA.cer -ss 
My -a shal 


As with the previous command, this com¬ 
mand includes several Makecert options. 
Table 1 also includes a description of these 
options. Note that, for the -ss option (which 
specifies the certificate store), I provided the 
value My rather than Root , as I did when cre¬ 
ating the certificate authority. The My value 
indicates that the certificate will be stored in 
the certificate store in the Personal folder of 
the Current User store. (The Current User 
store is used by default. You can also specify 
-sr LocalMachine to save the certificate to the 
Focal Computer certificate store.) 

When you run the Makecert command 
to create the certificate, you're once again 
prompted for a password. This is your pri¬ 
vate key password that you specified when 
you created the certificate authority. The cer¬ 
tificate is then created in the current user's 
Trusted Root Certification Authorities store. 

You can view the certificate through the 
Microsoft Management Console (MMC) 


Certificates snap-in, as shown 
in Figure 4. Notice that Power- 
Shell Certificate is listed in the 
right pane of the MMC win¬ 
dow. To view the details about 
the certificate, double-click it 
to open the Certificate dialog 
box. If the Certificates snap-in 
isn't available in an existing 
administrative tool, you'll have 
to add it to an MMC console. 
For information on how to do 
so, see the Microsoft article 
"How To Create Custom MMC 
Snap-in Tools Using Micro¬ 
soft Management Console" (support 
.microsoft. com/kb/230263). After you verify 
that the certificate has been created, you can 
start signing your scripts. 

Signing a PowerShell Script 

Signing a script is a straightforward pro¬ 
cess. You use the Set-AuthenticodeSignature 
cmdlet and specify the script file to sign and 
the code-signing certificate to use when 
signing the file. For example, suppose you 
want to sign the C:\Audit\SecurityAudit 
.psl script file, which callout A in Fisting 1, 
page 76, shows. (To download SecurityAudit 
.psl, go to www.windowsitpro.com, enter 
102831 in the InstantDoc ID box, click Go, 
then click the Download the Code Here but¬ 
ton.) This script retrieves the most recent 20 
events listed in the Security log. The follow¬ 
ing statements first specify the script file and 
certificate, then run the Set-Authenticode 
Signature cmdlet: 



Figure 4:The MMC Certificates snap-in 
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$file = "C:\Audit\ 

SecurityAudit.psl" 

$cert = Get-Childltem 
cert:\CurrentUser\My ' 
-CodeSigningCert 
Set-AuthenticodeSignatu re 
$file $cert 

In the first statement, I 
assign the full filename as a 
string to the $file variable. In 
the second statement, I use 
the Get-Childltem cmdlet 
to retrieve the code-signing 
certificate from the certifi¬ 
cate store and assign it to 
the $cert variable. To retrieve 
the certificate, I specify as a 
path cert: \ CurrentUser\My. 

The cert: prefix is the drive 
used to access the certifi¬ 
cate store. This is followed by 
CurrentUser, which refers to 
the location within the cer¬ 
tificate store. The My refers 
to the certificates within the Personal folder. 
When you use the Get-Childltem cmdlet 
to retrieve the certificate, you should also 
include the -CodeSigningCert switch param¬ 
eter to retrieve only the certificates that have 
code-signing authority. 

If the My certificate store contains more 
than one code-signing certificate, the $cert 
variable will contain those certificates, in 
which case you must specify the desired 
certificate when you reference the $cert 
variable. One way to do this is to add the 
object index after the variable name. For 
example, you'd use $cert[0] to call the first 
code-signing certificate, $cert[l] to call the 
second one, and so on. However, if you 
know that there is only one code-signing 
certificate, you don't need to include the 
bracketed index reference. 

After you have set the values of the $file 
and $cert variables, you're ready to sign your 
code. The third statement in the example 
uses the Set-AuthenticodeSignature cmdlet 
to sign the code. Notice that you provide 
the filename ($file) and certificate ($cert) as 
the two arguments to the cmdlet. When you 
run the command, the certificate is used to 
digitally sign the file. You can verify that a 
file has been signed by viewing its contents. 
At the end of the file, you'll find a block of 
commented code that is the digital signa¬ 


Listing 1: Signing the SecurityAudit.psl Script File 


(Aj$events = Get-EventLog Security -Newest 20 | 
sort -Property EntryType, Index 
Foreach ($event in Jevents) 

{ 

$event.Index.ToStringO + " - " + 

$event.TimeGenerated + " - " + 

$event.EntryType 
Write-Host 

} 


# SIG # Begin signature block 

# MIID/gYlKoZIhvcNAQcCoIID7zCCA+sCAQExCzAlBgUrDgMCGgUAMGkGCisGAQQB 

# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrcl<0sYpfvNR 

# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUfuB/MNI2Xll_7Kdw/G0iGyxaW 

# bHigggIcMIICGDCCAYWgAwIBAgIQs7M2bbLob59IMgMEJ4KiDjAJBgUrDgMCHQUA 

# MBgxFjAUBgNVBAMTDVBvd2VyU2hlbGwgQ0EwHhcNMDgwNTE2MTYzMDU2WhcNMzkx 

# MjMxMjM10TU5WjAhMR8wHQYDVQQDExZQb3dlclNoZWxsIENlcnRpZmljYXR1MIGf 

# MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDblzprG3GPB/8xmPAEy5LyxdYw+V4w 

# Z5B57LVaSqvemioQofhsPLZAisRxnKJnqu6QikeOONlniolJAhE3aZBY7meRi87N 

# 5ALYtrv4RWsQ73U4qbQdcyE8f8we9076wG0uYEhUJGDIiRlWwexXZFGbG7fk8zlM 

# efalV+gnjJdVuQIDAQABo2IwYDATBgNVHSUEDDAKBggrBgEFBQcDAzBJBgNVHQEE 

# QjBAgBDhKU0QbIB3f6Y3aWwYebXioRowGDEWMBQGAlUEAxMNUG93ZXJTaGVsbCBD 

# QYIQByoWGo48P3tNANXyw/17nDAJBgUrDgMCHQUAA4GBAIvPeuaJDCI5PTcOQ8Iv 

# Md+aJwg9I01w8U9EloUD6gRfGXowUYN9Hx0WHJoWrKn8wYyPGShWyPsmUxv0po39 

# vQv/0vUkud9Q+bCRBk+lov/fyqrQ9xmJoFRAl4H/WCQ2GyuFH8kP7ZNj81az9Aal 

# dMFrtVIVVTrOSb03TWKjZmxHMYIBTDCCAUgCAQEwLDAYMRYwFAYDVQQDEwlQb3dl 

# clNoZWxsIENBAhCzszZtsuhvn0gyAwQngqIOMAkGBSsOAwIaBQCgeDAYBgorBgEE 

# AYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwG 

# Ci sGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMCMGCSqGSIb3DQEJBDEWBBQNBhAb 

# I8NF5HE5NfibISx6S0ODaTANBgkqhkiG9w0BAQEFAASBgJjaY7cGezbKsWhg2+jr 

# f60RTRw38vVIfC4x7XoTnl8SK522tRisEMXet5gUJSGqjvC6+ftwuBhi2FTOst3h 

# 3 5TEYa5knzZRe75HaEESsfY9ruqQCdHmaopPyi70v9xq/BMGAoqhlNDqAeLQIXs5 

# kRGlV8SX/UgKHnv2otcq3r0e 

# SIG # End signature block 


certificates in the certifica¬ 
tion path, delete the private 
key, and export extended 
properties. You'll also need 
to provide a password and 
the file location. For these 
examples, I saved the file to 
C:\Audit\PS_Cert.pfx. After 
you export the certificate, 
delete it from the certificate 
store and store the .pfx file 
in a secure location. 

After you run the wiz¬ 
ard, you're ready to sign 
the file. As before, the first 
two statements should 
define the necessary vari¬ 
ables, as in 

$file = "C:\Audit\\ 
SecurityAudit.psl" 

$cert = Get- 

PfxCertificate C:\Audit\ 
PS_Cert.pfx 


ture. Callout B in Listing 1 shows what this 
signature might look like. After the file has 
been signed, you can run the script. 

When you run a script that's been digi¬ 
tally signed, you'll be prompted to verify 
whether it's safe to run it. You can choose 
to never run the file, not run it this time, 
run it once, or always run it. If you chose to 
never run the file or always run the file, you 
won't be prompted again if you try to run the 
script. 

Using a .pfx File to Sign a Script 

If you use a private certificate to sign your 
files, it's still possible for a malicious pro¬ 
gram to use the certificate to sign a script, 
thus allowing an unwanted script to run. A 
way to help avoid this problem and provide 
even further protection for your system is to 
export your code-signing certificate to a .pfx 
file, then use that file to sign your script. 

To export your certificate, open the Cer¬ 
tificates snap-in and locate your certificate 
(refer back to Figure 4). Right-click the 
code-signing certificate, point to All Tasks, 
then point to Export. This launches the 
Certificate Export wizard. Follow the steps 
in the wizard to export the file. Be sure 
to export the private key along with the 
certificate and enable strong protection. 
You can also choose whether to include all 


In the first statement, I 
assign the script file's location to the $file 
variable. Next, I use the Get-PfxCertificate 
cmdlet to retrieve the .pfx file and save it 
in $cert. 

When you run the second statement, 
you'll be prompted for a password. This 
is the password you specified when you 
exported the certificate to the file. As before, 
use the Set-AuthenticodeSignature cmdlet 
to sign the file. When you run the cmdlet, 
specify the script and.pfx files, as in 

Set-AuthenticodeSignature Sfile $cert 

That's all there is to signing your file. As 
you can see, once you've created your certif¬ 
icate and, optionally, exported it to the .pfx 
file, it's a simple matter to sign the files, yet 
an effective way to help secure your system. 
As any administrator knows, you can never 
be too careful, especially when it comes to 
protecting your PowerShell scripts. ^ 
InstantDoc ID 102831 
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Upgrade your environment 
now to get ahead of the 
game by Joel Oleson 


M any IT professionals are looking toward next 
year with excitement, anxiously anticipating the 
release of SharePoint Server 2010 and wonder¬ 
ing what they can do now to prepare. Although 
many details about SharePoint 2010 haven't yet 
been revealed, the SharePoint product team has 
provided guidance on several items to help organizations plan for 
the upgrade. In addition, SharePoint Server 2007 SP2 includes tools 
that offer additional insight and configuration information. 

Pre-Upgrade 

You can take several measures to prepare your environment for 
SharePoint 2010 before its release. 

System requirements. Servers running SharePoint 2010 will 
require 64-bit Windows Server 2008 R2 or 64-bit Windows Server 
2008. (Microsoft announced more than a year ago that SharePoint 
2007 and Windows SharePoint Services—WSS—3.0 would be the last 
versions to support 32-bit Windows.) Although most rack-mounted 
servers produced in the past few years are 64-bit capable, most cur¬ 
rent installations run on Windows Server 2003 in 32-bit mode, which 
is insufficient for SharePoint 2010; you must run 64-bit Server 2008 in 
your production environment. Environments running 32-bit hard¬ 
ware will require upgrades. In addition, because Microsoft Virtual 
Server and VMware's Virtual Desktop Infrastructure (VDI) both sup¬ 
port only 32-bit images, you'll need Windows Server 2008 Hyper-V or 
alternative virtualization software to host 64-bit images. 

SharePoint SP2 or later. One of the first things you can do to 
prepare for SharePoint 2010 is upgrade your current installation to 
the latest service pack. Upgrading to SP2 or one of the newer cumu¬ 
lative updates will help prepare for SharePoint 2010. SP2 includes: 

• PreUpgradeCheck—This key STSADM command provides guid¬ 
ance about upgrade requirements and determines whether 
an upgrade will fail, without making any changes to the cur¬ 
rent environment. The command is built on the best practices 
analyzer and is the best free tool available to help you under¬ 


stand the current state of your environment. I discuss the Pre¬ 
UpgradeCheck command in more detail later in the article. 

• Read-only databases—Read-only databases provide uptime flex¬ 
ibility for both build-to-build and version-to-version upgrades. 
Providing read-only databases to users while other databases are 
being updated gives users access to data during the upgrade. 

• Parallel upgrades—In the past, databases had to be upgraded 
serially; only one database per server could be upgraded at a 
time. Although some companies used more hardware to over¬ 
come this limitation, you now can upgrade many databases 
simultaneously, dramatically increasing the speed of build-to- 
build or version-to-version upgrades. 

• EnumAllWebs—This command provides the entire site collec¬ 
tion and information hierarchy of your environment. The XML 
output can be used either as a site map or for inventory. 

• DeleteSite and Deleteweb—These STSADM commands are en¬ 
hanced in SP2 to include the force command to remove prob¬ 
lematic site collections and webs. Use the stsadm -o deletesite 
-force command to remove orphaned sites and webs. 

• VariationFixTool—You can use EnumAllWebs to obtain the 
globally unique identifier (GUID) for sites with variation issues. 
The VariationFixTool command in STSADM lets you repair sites 
with variations that are out of sync. 

SQL Server. For performance reasons, SharePoint 2010 requires 
a 64-bit OS and hardware for your web infrastructure, as well as for 
SQL Server. It also requires SQL Server 2008 or 2005. SQL Express 
2008 and 2005 are free alternatives, but their lack of management 
tools makes issue identification difficult. SQL Server 2008 Standard 
or Enterprise Edition offers the best scalability, performance, and 
manageability. The edition you use will depend on your high avail¬ 
ability, mirroring, and database encryption needs. 

Internet browser. SharePoint 2010 won't support Internet Explorer 
(IE) 6.0. Instead, you'll have to use a standards-based browser such as 
IE 8.0, IE 7.0, or Firefox3.xto author content. SharePoint 2010 will also 
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offer an increased level of compatibility with 
Firefox 3.x and Safari 3.x on non-Windows 
OSs. This move is a big win for corporations 
with mixed environments; in addition, it 
means a richer editing and design experience. 
If you're planning to upgrade to SharePoint 
2010, you'll want to upgrade to a standards- 
based browser now, rather than continuing 
to design pages with IE 6.0. 

Client desktops. Before deploying Share- 
Point 2010, you should evaluate your entire 
environment's desktop requirements. Orga¬ 
nizations that still run Office 2003 and 
Windows XP should consider upgrading 
to Office 2010 and Windows 7. Office 2010 
provides the best innovations yet for Office 
applications, as well as the richest Share- 
Point integration. Microsoft Worldwide 
Partner Conference attendees gave Win¬ 
dows 7 a 90 percent approval rating, and I 
agree: It's the best OS ever, offering security, 
compatibility, and stability. It also has fewer 
hardware requirements than Windows 
Vista, so many organizations will be able 
to squeeze another year or two out of their 
existing hardware while enjoying increased 
productivity without additional expense. 

You also should seriously consider Office 
SharePoint Workspace, for its improved user 
experience and attractive licensing options. 
Although not all users will need Office Share- 
Point Designer 2010, its designer standards- 
based desktop might increase adoption and 
provide tools for those who do need them. 

SharePoint 2010 will include Office Web 
Applications, which are "light" versions of 
Office applications that are available directly 
from the cloud, as a subscription service. 
Office Web Applications will reduce the cost 
of upgrading Office applications but still 
provide users with the features they need to 
be productive. 

Mac desktops. You should update your 
Macintosh desktops to Office 2008 for Mac 
SP2. This version of Office provides Mac 
integration with Office and SharePoint; 
specifically, it includes the new Document 
Connection for Mac tool, which lets users 
save and open documents on SharePoint 
2007 and Microsoft Office Live Workspace. 
This enhancement improves the editing 
experience and integrates the Mac desktop 
experience with SharePoint and Live Work¬ 
space. In addition, Office Live is now com¬ 
patible with Apple's Safari 4 web browser. 

Developer desktops. The ultimate Share- 
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Point developer desktop is 64-bit with 8GB 
of RAM running Visual Studio 2010 with 
solid state disks (SSDs). Sound like a dream? 
Although it might take some serious plan¬ 
ning to get your developers running with the 
latest and greatest technologies, SharePoint 
2010's 64-bit requirements will help you 
justify this expenditure in your develop¬ 
ment budget. If your remote development 
includes virtual environments, you'll also 
need to consider Server 2008 Hyper-V (with 
a host that supports 64-bit). 

Even if you can't upgrade to the ulti¬ 
mate SharePoint development environment 
immediately, you can specify that future 
developer desktop purchases include 64-bit 
hardware, as well as additional RAM to sup¬ 
port virtual images and to provide the neces¬ 
sary overhead to run the server. Additional 
RAM means speed—which leads to faster 
development and better productivity. SSDs 
likewise provide the necessary speed and 
performance for increased developer pro¬ 
ductivity. 

PreUpgradeCheck 

Running the PreUpgradeCheck STSADM 
command runs rules that will help you 
determine how to prepare to upgrade. 

Running the command. The prescan 
.exe tool is different from PreUpgradeCheck 
because it makes changes in the content 
database to show that a site is checked and 
ready for upgrading. The upgrade itself will 
fail if the command hasn't been run. Micro¬ 
soft paid attention to users' feedback about 
this issue, and PreUpgradeCheck doesn't 
perform any write operations—it's strictly 
read-only. 

Running the STSADM -o pre- 
upgradecheck command with the default 
settings uses the rules and definitions in 
either WssPreUpgradeCheck.xml (for WSS 
3.0) or both WssPreUpgradeCheck.xml and 
OssPreUpgradeCheck.xml (for SharePoint 
2007 environments). These XML files pro¬ 
vide their products' rules for out-of-the-box 
configuration. Settings include options for 
processing alternative rules files. 

Understanding the output. When you 
run the PreUpgradeCheck command, you'll 
notice the word "Passed" in green text for 
processed rules such as OSPrerequisite; 
these items receive a pass or fail based on 
the version of Windows Server installed. 
The yellow "Information Only" sections call 
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your attention to information you need to be 
aware of during an upgrade, such as Large- 
List, where configuration and complexity 
information about the farm are detailed. 

If you run PreUpgradeCheck and see 
"Lailed" in bright red text next to items that 
need to be corrected before upgrade, this 
result means the farm contains a custom 
site definition but SiteDefinition is missing 
from the XML configuration file. You'll need 
to address the identified issues, upgrade to 
64-bit Server 2008, and rerun the check with 
the new configuration file. 

The output of PreUpgradeCheck isn't 
just what you see in the simple command 
output. An Extensible Style Language (XML) 
file lets you create custom reports for com¬ 
parison/analysis. An additional web-based 
HTM report includes a full log of detailed 
information about each check performed. 
You can open this report in IE or Lirefox. 
The rich HTM file includes the real meat 
of PreUpgradeCheck. Two main catego¬ 
ries of content are provided: information 
and configuration, and customizations and 
dependencies. 

Examples of PreUpgradeCheck informa¬ 
tion and configuration content include: 

• Content sources and start addresses 

• Topology +(SSPs), WSS search topology 

• Servers (not including SQL Server) 

• Upgrade types 

• List of alternative access mappings 

• Large lists 

• Language packs 

Examples of PreUpgradeCheck customi¬ 
zation and dependency content include: 

• Sites based on custom site definitions 

• Sites based on site template 

• Leatures in use (including missing fea¬ 
tures) 

• Installed language packs 

• Leatures 

• Custom list views and custom field 
types, web.config entries 

• Content and site orphans 

• Custom web parts 

• Custom XML-based Collaborative Appli¬ 
cation Markup Language (CAML) views 

• Custom XML CAML content types 

Local server mode. In addition to run¬ 
ning PreUpgradeCheck in the default mode 
to determine farm customizations, you can 
also run the check in local server mode, which 
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runs a smaller set of rules from the given 
server. In large server farms, you can run the 
command in local mode for each server, as 
well as for the whole farm. You can then com¬ 
pare the reports and identify any differences 
in configuration and customizations. 

I recommend running PreUpgrade 
Check early and often because the insight 
it provides is useful not only for upgrades 
but also as a best practice and for configu¬ 
ration analysis. PreUpgradeCheck doesn't 
stop running when it finds an issue, so you 
can run the command even if you know 
you have custom site definitions that will 
generate a failure notice. Because the com¬ 
mand is read-only, it provides information 
without making changes. 

Info Architecture and Data Cleanup 

The more optimized your environment, the 
smoother and faster your upgrade will be. 
To improve the upgrade process, trim the 
following content that is simply taking up 
space and would slow down the upgrade: 

• Remove unused sites and site collections 


• Remove orphaned sites, lists, and 
objects identified by PreUpgradeCheck 

• Remove locks and increase the quotas 
for sites that are at or near maximum 
capacity 

• Remove or add missing features and 
web part assemblies (check dependen¬ 
cies) identified by PreUpgradeCheck 

Cleanup also can involve working 
through and resetting pages and sites back 
to the site definition, or finalizing previ¬ 
ous upgrades. Also be sure to consider the 
supportability of your customizations and 
address any improper development, test¬ 
ing environments, or resources. Now is the 
time to package up the various assemblies 
and features and build them into solutions 
that can be deployed easily and consistently. 
This cleanup can take the form of simply 
packaging up the code and some of the 
configuration, or writing scripts for some of 
it and documenting the rest. When it comes 
time to actually upgrade, you'll be glad you 
took the time to perform this cleanup. 


SHAREPOINT 2010* 
Get Started 

You can take several steps now to optimize 
your environment for upgrading to Share- 
Point 2010. First, ensure that you have 64-bit 
hardware capable of hostingyour production 
sites on Server 2008 Hyper-Y As soon as pos¬ 
sible, upgrade to SharePoint 2007 SP2 or later. 
Discuss Office 2010 with your desktop team, 
including the possibility of using Office Web 
Applications. Run the PreUpgradeCheck tool, 
and assess any issues that might hinder 
an upgrade. Finally, reevaluate and clean 
up your information architecture. If you 
communicate about and plan ahead for an 
upgrade to SharePoint 2010, the process will 
go much more quickly and smoothly. ^ 
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INSIGHTS FROM THE INDUSTRY 


Email Security and Data Loss 


Email security gets a lot of attention. You 
know you need spam filters on your Micro¬ 
soft Exchange Server organization, and if 
those filters don't work well, you're going to 
hear all kinds of complaints from end users. 
You know you need virus and malware pro¬ 
tection to save your network from the ridic¬ 
ulous mistakes those same users are likely to 
make. You've probably spent a great deal of 
time finding and fine-tuning the solutions 
that provide this protection to your net¬ 
work. But have you spent an equal amount 
of time thinking about outbound security 
threats from email and other sources? 

Some companies certainly have. That's 
a key takeaway from the recent survey by 
Proofpoint,"Outbound Email and Data Loss 
Prevention in Today's Enterprise, 2009." In 
addition to outbound email, the survey also 
questions respondents about concerns for 
data loss related to mobile devices, blogs 
and message boards, social media and 
media sharing sites, and other technologies. 
Overall, more than half the respondents said 
they were "concerned" or "very concerned" 
about losing data through these various 
outlets. 

This year's survey also looks at how 
economic factors are affecting security 
concerns about data loss. Layoffs can lead 
to security problems at any time, but when 
layoffs strike the IT department, which is 
already working on a super-tight budget, 
potential for significant problems arise. I 
spoke with Keith Crosley, director of market 
development for Proofpoint and author of 
the annual survey since it began in 2004. 


"IT departments have got to be mindful of 
this," Crosley said. "You've got to limit access 
to accounts as soon as possible when a ter¬ 
mination is occurring." Overall, more than 17 
percent of companies investigated data loss 
around an employee leaving the company 
during the last year; in the largest compa¬ 
nies (over 20,000 employees), the number 
rises to 32.2 percent. 

When I think of data loss, what comes 
to mind are the movies or books I've read 
about corporate espionage and all the 
outrageous shenanigans that go into such 
stories. And I suppose there might be some 
grain of truth in those stories. However, 
as Crosley said, "The vast majority of data 
breaches or potential data breaches are 
completely inadvertent, and they often 
relate to employees simply trying to do their 
jobs." Crosley describes the problem as a 
cultural issue: We're so conditioned to using 
email for communications that we don't 
necessarily realize when we're breaking the 
rules. 

One story Crosley tells to highlight this 
point is that of nurses or other medical 
personnel inadvertently breaking HIPAA 
regulations by sending confidential patient 
information through email.The intent is 
simply to pass along shift notes when it's 
time to go home. Although it might be 
convenient for two individuals to communi¬ 
cate through Gmail if they're not otherwise 
going to cross paths, the security of such 
communication is simply not adequate. The 
moral here is the need for better education: 
Make sure you have corporate policies in 


place governing appropriate email use, and 
make sure your employees know what the 
rules are. 

Something I found a bit surprising from 
the survey is the number of companies that 
have dedicated staff monitoring outbound 
email. Almost a third (32.9%) of the com¬ 
panies in the survey reported having "staff 
whose primary or exclusive job function 
is to read or otherwise analyze outbound 
email content."Wow.These companies must 
have—or think they have—a significant 
problem if they're willing to pay people just 
to perform this function. Or maybe it's just 
a proactive attempt to avoid litigation from 
giving out credit card numbers or private 
medical information. 

"I don't think that companies of any 
significant size can afford to be without 
a technology approach to scanning out¬ 
bound email because you can't solve these 
problems manually,"Crosley said. "You can't, 
after the fact, do a random sampling of out¬ 
bound email content and go,'Look, we're 
regularly leaking credit card data.'That's not 
helpful." Of course, Proofpoint offers email 
security and data loss prevention products 
both as on-premises and hosted solutions. 

The Proofpoint survey has some interest¬ 
ing statistics about social media sites, Short 
Message Service (SMS—i.e., texting, Twitter), 
as well as the types of data companies fear 
is being lost and the actions taken against 
employees for violating the rules. You can 
download the full report from Proofpoint's 
website if you want to see the bigger pic¬ 
ture of data loss potential in the enterprise. 
And you can see Keith Crosley give a brief 
presentation with some more quick stats in 
the video below. 

—B.K. Winstead 
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Linkedln: IT Pro Friend or Foe? 


Linkedln, sometimes called the "Facebook 
for businesses a social networking site that 
allows you to post your resume, work experi¬ 
ence, skills, and more on a free profile. But 
Linkedln is more than a static profile page— 
this site lets you form connections, like Face- 
book friends, with people you know or work 
with. From there, Linkedln also "links" you 
to your connections'connections, quickly 
creating a massive network of people that 
you are connected to by one, two, or three 
degrees of separation. I'll give you an exam¬ 
ple: on my Linkedln account, I only have 
a meager 48 connections; however, if you 
count all of my connections'first connec¬ 
tions, I have 2,400 people. And if you count 


presence on Linkedln with your employ¬ 
ment information listed is enough to receive 
notices from recruiters. 

But what if you don't have any interest 
in leaving your job? Well, even so, keeping 
abreast of who's hiring, what skills employ¬ 
ers are looking for, and what the going sal¬ 
ary for a given position in a given region is 
are all valuable when negotiating pay and 
promotion with your current employer, or 
when weighing whether you want to stay 
with your current employer. 

Two of the best things about Linkedln 
are (1) you don't have to worry about your 
employer becoming suspicious that you 
might leave your current position, as they 


user on Twitter, and I have to agree. The way 
Linkedln works right now, you need to find 
connections through other means before 
you can reap the rewards, which is fine, but 
that hardly makes Linkedln a one stop shop 
for business social networking. 

Takeaways for IT Pros, Advice for 
Employers 

While Linkedln is not the social media tool 
for business that it's often purported to be, 
it does have value as a fairly low-mainte¬ 
nance way to keep your name and informa¬ 
tion out in the ether for recruiters, friends, 
and potential employers to see. My advice 
would be to start an account as soon as you 


Linkedln has value as a low-maintenance way to keep your 
name and information out in the ether. 


all of those connections'connections too, 
then I have 265,800 people in my network. 

The idea is that if someone two or three 
degrees away is looking for a contractor or 
employee in a given field, I can talk to the 
person that we are both connected to and 
be "introduced" to that person, potentially 
forming a business relationship. 

Additionally, Linkedln offers Groups, 
which let you join associations with like- 
minded individuals related to a variety of 
demographics—industry of employment, 
age, race, geographic area, etc.Through this, 
you can meet additional individuals and, 
ultimately, encounter additional business 
opportunities. 

Linkedln is quite lucrative for recruiters 
and consultants—anyone who needs to 
interact with a large variety of individu¬ 
als. But, for someone who isn't looking for 
contract work and is satisfied with his or her 
current employment, is Linkedln worth the 
effort? That's the question I posed on 
Twitter, and here are the responses I got. 

Linkedln Connects You to Recruiters 

Of the responses I received, two IT pros 
mentioned that they have been solicited by 
recruiters while on Linkedln. And it wasn't 
the result of active questions and presence 
on Linkedln; rather, simply having a passive 


might if you posted a profile on Monster 
.com, and (2) that you can be fairly passive 
on Linkedln, only stopping by every few 
months to update your information, and still 
receive many of the benefits. As one reader 
put it: "I think it's good from an employee 
standpoint and from a recruiter standpoint. 
It may sound terrible, but there is only one 
person looking out for our best interests." 

Communication Limitations 

As another reader and I discussed, Linkedln 
can be quite frustrating because of the poor 
communication tools in it. Whereas Twitter 
and Facebook allow you to watch conversa¬ 
tions between friends, family members, and 
colleagues, Linkedln uses a fairly outdated 
model. Linkedln lets you send private mes¬ 
sages to other users (like an email), and it 
lets you pose general questions to all of the 
site's users or just your connections (like a 
discussion board). And that's pretty much 
the extent of its communication capabilities. 
(As one Windows IT Pro editor mentioned, 
if Facebook had the option to also have a 
business account, it might render Linkedln 
completely obsolete, since Facebook has 
such superior communication tools.) 

"The functionality [in Linkedln] is such 
that you cannot approach people. This just 
does not work in the long run!" noted one 


can, and build up as many valuable connec¬ 
tions as you can. Change happens quickly, 
and you might find yourself no longer with 
your current employer (by your choice or 
not), so it's best to build connections now 
and avoid an awkward approach later. 

And if you're interested in doing more in- 
depth networking, I recommend attending 
industry-related tradeshows or establishing 
a Twitter presence. Twitter allows you to start 
interesting conversations, gauge industry 
buzz, and connect with individuals who have 
a strong presence in your market. 

Finally, a note to employers wondering 
what they can do to keep their employees 
from being poached by recruiters on 
Linkedln: create an atmosphere in your 
organization where employees feel comfort¬ 
able enough to honestly voice their con¬ 
cerns and frustrations with management. If 
you can do this, your employees won't feel 
the need to find other opportunities behind 
your back. They'll be open and transparent 
about their career plans, allowing you the 
opportunity to fight for the staff you really 
want to keep and seek replacements for 
others proactively, so you aren't caught with 
your pants down. Who knows, maybe Linke¬ 
dln is the place to seek those candidates? 

—Brian Reinholz 
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P R 0 D U C T S 


INDUSTRY BYTES 


New Data Breach Rule for Healthcare Companies 


A new data security law recently went 
into effect as part of the U.S. Department 
of Health & Human Services (HHS) Health 
Information Technology for Economic 
and Clinical Health (HITECH) Act. This new 
law, called the "Breach Notification for 
Unsecured Protected Health Information," 
is aimed at health organizations covered 
by the Health Insurance Portability and 
Accountability Act (HIPAA). 

According to the rule, only healthcare 
providers and healthcare plans that don't 
use HHS-approved techniques to encrypt 
or destroy information will be required 
to notify individuals within 60 days of a 
breach of such unsecured protected health 
information (PHI). Breaches that affect 
more than 500 people must be reported to 
the HHS, as well as to the media. 

However, in an "interim final rule" ver¬ 
sion, the HHS amended the law to note 
that healthcare companies must publicly 
disclose data breaches only if the breach 
threatens significant financial or reputa¬ 
tional harm to the individuals affected. 

And whether this risk is deemed sig¬ 
nificant is left up to the discretion of the 
healthcare company whose data has been 
compromised—which raises the hackles 
of opponents to the new rule, who con¬ 
tend that the amendment effectively guts 
the law. 

Mark Bower, Voltage Security's direc¬ 
tor of information protection solutions, 
asserts that "the protection law should 
address everyone—including those who 
have already implemented encryption, 
since most encryption systems are point- 
to-point even when they say otherwise." 

In addition, Bower notes that "the bad 
guys are always looking for a way in, and 
in many cases they're highly sophisticated, 
organized criminals, so we'll keep bumping 
into a wall if we don't get smart and pro¬ 
tect data end-to-end." 

For the full text of the breach notifica¬ 
tion rule, go to http://edocket.access.gpo 
,gov/2009/pdf/E9-20169.pdf. 

—Lavon Peters 

InstantDoc ID 102885 


"The bad guys are always 
looking for a way in, and in 
many cases they're highly 
sophisticated, organized 
criminals, so we'll keep 
bumping into a wall if we 
don't get smart and protect 
data end-to-end." 

—Mark Bower, Voltage Security's 
director of information 
protection solutions 


Are Your IIS Servers Under Attack? 


Block all unwanted IIS 
traffic with ThreatSentry 

9 privacy war*~ 

| threaf sentr y 

^ IIS Well Appl I cation Pi re wall &1 PS 



download free trial 


•IIS web application firewall & IPS 

* stops known, new and internal threats 

* blocks sql injection, xss, dos and more 

* reinforces regulatory compliance 


sales@privacyware.com • www.privacyware.com • 732.212.81 10 x235 
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Keyboard Error 


We're certain that the phrase “Anti-Glare Technology for Computer Nerds”— 
which heads up this week's most fascinating press release—will probably appeal to 
some geeky types, but we wonder whether the 85 percent of the world that doesn't 
identify themselves as “computer nerds” will be 
so understanding. The company Laptop Burka 
is offering a new product called GEEK SHEET, 
which offers “chipheads and laptop geeks all 
around the world a way to work outside and blog 
away with a proven portable space that reduces 
glare by 100 percent." The GEEK SHEET glare- 
reduction device is “breathable, lightweight, 
and mobile for laptop screens everywhere." 

It costs $16.99. Visit Laptop Burka at www 


Keyboard not responding. Press anp kep to continue. 


Figure 1: Hmmm . 
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Are you sure you want to send ‘Recycle Bin 1 to the Recycle Bin? 
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Will you remember of this password ? ! 


Figure 2: 

The creation of a black hole 


Figure 3:1 probably won't remember of it 


User Moment 
of the Month 


Email your industry humor, 
scandalous rumors, funny screenshots, 
favorite end-user moments, and 
IT-related pics to rumors@ 
windowsitpro.com. If we use your 
submission, you'll receive 
A FREE GIFT. 


About a decade ago, I got a job working IT for a publishing company back 
east. When I walked in the door, I discovered that the company's meager 
hardware resources consisted of a couple systems with tiny hard drives 
and 3.5" disk drives. My new supervisor proudly showed me his 
weekly backup process, which he had been able to improve and 
make less time-consuming over time: He had discovered that he 
could accomplish an entire data backup (which normally required 
10 discs) with only one disk. Curious, I asked how he had managed that. 

"Simple,"he said, walking me through the process. Whenever the computer prompted 
him, Is it OKto overwrite this floppy disk?, he was clicking Vesand repeatedly overwriting 
his backup data. Needless to say, the backup policy changed that night. —Jacob 
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The servers that pay 
for themselves in 

3 months. 




ALTERNATIVE THINKING ABOUT SERVERS: 


Next generation HP ProLiant servers. 
11:1 consolidation and rapid ROI. 



• Achieve 95% reduction in energy and cooling costs 

• Realize savings of up to 90% in software license fees 

• Reduce the number of servers to manage by 90% 

Technology for better business outcomes. 




HP ProLiant DL380 G6 server 


Up to two Intel® Xeon® Processor 5500 Series 
144 GB maximum memory footprint 

Now supports up to 8 small form factor high-performance SAS 
hard drives or up to 6 large form factor SATA hard drives 
HP Insight Control cuts management costs by up to $48K per 
100 users over 3 years* with integrated management suite 


$2,099 (Save $725) 

Lease for just $55/mo.** 
fm](PN:470065-153) 


See how HP innovation is delivering radical ROI for companies 
like yours at hp.com/servers/roi21 or call 1-866-545-0296. 



*White Paper sponsored by HP, Gaining Business Value and ROI with HP Insight Control, #218069, May 2009. **Prices shown are HP Direct prices; reseller and retail prices may vary. Prices shown are 
subject to change and do not include applicable state and local taxes or shipping to recipient's address. Offers cannot be combined with any other offer or discount and are good while supplies last. All featured 
offers available in U.S. only. Savings based on HP published list price of configure-to-order equivalent (DL Server: $2,824-$725 instant savings = SmartBuy price of $2,099.) Financing available through 
Hewlett-Packard Financial Services Company and its subsidiaries (HPFSC) to qualified commercial customers in the U.S. and is subject to credit approval and execution of standard HPFSC documentation. Prices 
shown are based on a lease 48 months in term with a fair market value purchase option at the end of the term and are valid through January 31, 2010. Other rates apply for other terms and transaction sizes. 
Financing is available on transactions greater than $349. Other charges and restrictions may apply. HPFSC reserves the right to change or cancel this program at any time without notice. Financing available 
through Hewlett-Packard Financial Services Company and its subsidiaries (HPFSC) to qualified commercial customers in the US and Canada and is subject to credit approval and execution of standard HPFSC 
documentation. Offer valid through January 31, 2010 on transactions in the United States between $1,500 and $150,000 USD and in Canada between $5,000 CAD and $150,000 CAD. Zero percent 
financing assumes transaction is documented as a lease with a $1 end-of-term purchase option (or local country equivalent), assuming lessee is not required to pay any nominal end-of-term purchase price 
at the end of the lease term and disregarding any changes payable by lessee other than rent payments such as maintenance, taxes, fees and shipping. This offer cannot be combined with any other rebate, 
discount or promotion without prior approval by HP and HPF5C. Rates are based on customer's credit rating, financing terms, offering types, equipment type and options. Not all HP products are eligible for 
the 0% lease rate. Not all customers may qualify for these rates. Other restrictions may apply. HPF5C reserves the right to change or cancel this program at any time without notice. Intel, the Intel logo, Xeon 
and Xeon Inside are trademarks of Intel Corporation in the U.$. and other countries. 

©2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 














From: Renewal time, here comes 
the pain again 

To: Predictable pricing & 
consistent support 




NO-NONSENSE 
WEB FILTERING 


That's what you'll get when you switch to iPrism from 
St Bernard - the award-winning web filter that's easier in 
every way, and less expensive to own. 

iPrism is changing the way companies and schools every¬ 
where handle their web filtering. With blazing through¬ 
put speeds up to 100+ Mbps, anti-virus protection and 
seamless XenApp and Active Directory integration, iPrism is 
the appliance-based solution of choice for customers and 
institutions of any size. 

Find out more about the easiest-to-deploy, most highly 
rated web filtering solution ever - the industry's ONLY 
Citrix-ready web filtering appliance. 


Stbernard 

FLIP THE SWITCH 

Get your iPrism® Switch Kit today: 

FREE BO-day onsite evaluation 

that can be deployed without any client or 
network changes 

FREE enhanced technical support 

for setting up matching policies, reports & alerts 
based on your current settings 

INCENTIVE PRICING & A FREE T-SHIRT 

just for watching a live demo 




Call 1.800.782.3762 or go to www.SwitchToiPrism.com/flip 


iPrism® h-Series, the world's #1 Web Filtering appliance. 

© 2009 St Bernard Software, Inc. 






